Researchers reveal information about a recent campaign that made use of websites that distribute cracked software. The campaign makes use of a new iteration of the Count loader, a stealthy and modular loader. At least since June 2025, the loader has been found in the wild.

Unaware users are redirected to a malicious ZIP archive when they try to download cracked versions of trustworthy programs like Microsoft Word, which starts the most recent attack chain. The revelation coincides with Check Point's disclosure of information about a new, highly obfuscated JavaScript malware loader called Gachi loader, which is written in Node.js. The YouTube Ghost Network, a network of hacked YouTube accounts that distribute malware, is how the malware spreads.

The Count's last payload Loader, also called ACR Stealer, is a type of information thief that can extract private information from compromised hosts. According to Cyderes, "this campaign highlights Count loader's ongoing evolution and increased sophistication, reinforcing the need for proactive detection and layered defense strategies." The campaign has resulted in the flagging of up to 100 YouTube videos. The first of these videos was posted on December 22, 2024, and they came from 39 hacked accounts.

The Rhadamanthys information stealer malware has used Gachi loader as a conduit in at least one instance. GachiLoader is used to carry out a number of anti-analysis checks in order to evade detection while simultaneously deploying additional payloads to an infected machine."The threat actor responsible for Gachiloader showed mastery of Windows internals, coming coming up with a fresh take on a well-known method," Check Point stated.In a blog post about the campaign, which security researchers Sven Rath and Jaromě Hořejš have dubbed "Gachi Loader," the company stated, "This highlights the need for security researchers to stay up to date with malware techniques like PE injections."André.