CountLoader Malware Campaign Delivers Crypto Clipper via JavaScript and PowerShell
Severity: High (Score: 64.5)
Sources: Cybersecuritynews, Gbhackers
Published: · Updated:
Keywords: malware, campaign, clipper, uses, javascript, powershell, crypto
Severity indicators: malware
Summary
A large-scale malware campaign utilizing CountLoader has been discovered, deploying cryptocurrency clipper malware through a sophisticated infection chain. The attackers employ layered obfuscation and multi-stage payload delivery, leveraging JavaScript, PowerShell, and in-memory shellcode execution to evade detection. This campaign targets users globally, siphoning off cryptocurrency without detection. The attack begins with a malicious executable that initiates the infection process. Researchers have noted the complexity of the infection chain, which allows for persistence on infected systems. The scope of the impact is significant, affecting numerous users and potentially leading to substantial financial losses. The campaign is ongoing, with no immediate mitigation strategies reported. Key Points: • CountLoader campaign employs multi-stage payload delivery to deploy crypto clipper malware. • Attackers use JavaScript, PowerShell, and shellcode to maintain persistence and evade detection. • The malware campaign is actively draining cryptocurrency from users worldwide.
Detailed Analysis
**Impact** Cryptocurrency users worldwide are targeted by this campaign, with attackers intercepting and redirecting crypto transactions to steal funds. The scope includes a large-scale infection across multiple geographies, though exact numbers and affected sectors are not specified. The primary data at risk is users’ cryptocurrency wallet information and transaction data, leading to direct financial losses. **Technical Details** The attack begins with a malicious executable that initiates a multi-stage infection chain involving JavaScript, PowerShell scripts, and in-memory shellcode execution. CountLoader serves as the loader, employing layered obfuscation and covert command-and-control (C2) communication to deploy a crypto clipper malware. No specific CVEs or infrastructure details are provided. The campaign uses evasion techniques to maintain persistence and avoid detection. **Recommended Response** Defenders should monitor for unusual PowerShell activity and JavaScript execution originating from unexpected sources. Deploy detections for multi-stage loaders and in-memory shellcode behavior. Block known indicators of compromise if available from threat intelligence feeds. Apply strict execution policies for scripts and limit user permissions to reduce infection risk. No specific patches or IOCs were detailed in the reports.
Source articles (2)
- Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper — Cybersecuritynews · 2026-05-19
A wave of well-crafted malware is quietly draining cryptocurrency from users across the globe, and the attackers behind it have gone to great lengths to stay hidden. Researchers have uncovered a large… - JavaScript Malware Campaign Drops Crypto Clipper via PowerShell — Gbhackers · 2026-05-19
A large-scale CountLoader campaign that uses layered obfuscation, multi-stage payload delivery, and covert command-and-control (C2) communication to deploy cryptocurrency clipper malware. The campaign…
Timeline
- 2026-05-19 — CountLoader campaign identified: Researchers uncovered a large-scale malware campaign using CountLoader to deliver cryptocurrency clipper malware.
- 2026-05-19 — Malware delivery method detailed: The campaign utilizes JavaScript, PowerShell, and in-memory shellcode for a complex infection chain.
Related entities
- Malware (Attack Type)
- CountLoader (Malware)
- Crypto Clipper (Malware)
- T1027 - Obfuscated Files Or Information (Mitre Attack)
- T1055 - Process Injection (Mitre Attack)
- T1059.001 - PowerShell (Mitre Attack)
- T1059.007 - JavaScript (Mitre Attack)
- T1071 - Application Layer Protocol (Mitre Attack)
- PowerShell (Tool)