هجـ.....ـوم Weedhack يستهدف لاعبي ماينكرافت وحملة CountLoader تصيب 86 ألف جهاز التفاصيل ... url-shortener.me/N2YB #مركز_الأمن_السيبراني_للابحاث_والدراسات

#threatreport #LowCompleteness What Recent Reporting Gets Right About The Gentlemen RaaS and What Silent Push Learned Months Earlier | 11-06-2026 Source: silentpush.com/blog/the-gent… Key details below ↓ 🧑‍💻Actors/Campaigns: Gentlemen_ransomware 💀Threats: Gentlemen_ransomware, Countloader, Cobalt_strike_tool, Blackbasta, Lockbit, Qilin_ransomware, 🤖LLM extracted TTPs:` T1059.001, T1059.007, T1190 🧨IOCs: - IP: 1 📜Programming Languages: powershell, jscript #threatreport: The recent reporting on The Gentlemen ransomware operation has drawn attention to the methods and affiliations of this Ransomware-as-a-Service (RaaS) group, which has been active since mid-2025. Notably, an investigation identified links between a malware loader known as CountLoader and three notorious ransomware operations: Black Basta, LockBit, and Qilin. CountLoader, spotted in .NET, PowerShell, and JScript versions, has played a crucial role in the operational infrastructure of The Gentlemen. Silent Push analysts, in their research, noted how CountLoader led to the discovery of Cobalt Strike watermarks, specifically 1473793097 and 1357776117, which are unique identifiers tied to the same affiliate across different ransomware groups. Cobalt Strike's utilization of licensed instances, which carry unique identifiers, has facilitated persistent tracking of malicious actors despite changes in their RaaS affiliations. This tracking method has proven effective, allowing Silent Push to maintain continuous surveillance on the affiliate's activities over a three-year period. An important piece of intelligence from Silent Push was the identification of the IP address 91.107.247.163 as a Cobalt Strike command and control (C2) server. This was flagged in February 2026, and by April of the same year, it was confirmed by Check Point in relation to an intrusion tied to The Gentlemen operation. Silent Push's early warning system enabled clients to implement blocks against this IP address well ahead of time. The analysis of the operational infrastructure used by The Gentlemen provides insights into their tactics. Affiliates of this ransomware have shown a preference for exploiting internet-facing VPN and firewall appliances to gain initial access to target networks. For organizations, this highlights the urgency of auditing and patching these entry points to mitigate risk. To bolster defenses against such advanced threats, it is recommended that enterprises utilize Cobalt Strike Indicators of Future Attack (IOFA) feeds available through Silent Push, which can be directly integrated into security systems like firewalls, Security Information and Event Management (SIEM), or Endpoint Detection and Response (EDR) platforms. This integration enabled proactive measures that placed clients ahead of intrusions by several weeks, demonstrating the importance of timely intelligence in counteracting sophisticated cyber threats.

🚨 Big red flags for gamers and downloaders this week. 🔸 Weedhack malware is hitting #Minecraft players via YouTube fake mods and clients, stealing accounts and enabling remote spying. 🔸 CountLoader has infected 86,000 systems through cracked software. 🔸 Pirated streaming si

🚨 Big red flags for gamers this week. Weedhack malware is targeting Minecraft players through fake mods on YouTube, CountLoader has compromised 86,000 systems via cracked software, and pirated streaming sites are quietly deploying crypto miners. #minecraftsaga #Infosec

Another campaign, CountLoader, has reportedly compromised 86K machines and deployed a crypto clipper that hijacks clipboard content to redirect crypto transactions. A fake mod or free tool can become the path to wallet data, exchange sessions and stolen transactions.

Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content thehackernews.com/2026/06/we…

Weedhack Attacks Minecraft Users, CountLoader Hits 86K, Miners Spread via Pirated Content thehackernews.com/2026/06/we…

🚨 Big red flags for gamers and downloaders this week. 🔸 Weedhack malware is hitting Minecraft players via YouTube fake mods and clients, stealing accounts and enabling remote spying. 🔸 CountLoader has infected 86,000 systems through cracked software. 🔸 Pirated streaming sites are silently installing crypto miners. Read details: thehackernews.com/2026/06/we… Double-check every download.

VMRay Labs releases 7 new threat identifiers and 20 YARA rules targeting fake CAPTCHA campaigns, EvilTokens phishing kits, and AFD-based network evasion techniques. Enhanced AutoUI now handles multi-stage fake CAPTCHA overlays. Key technical additions: • New VTIs detect EvilTokens PhishKit behavior including device code polling and Microsoft login endpoint connections (microsoft[.]com/devicelogin) • AFD endpoint network communication detection (\Device\Afd\Endpoint) - observed in ACRStealer campaigns using low-level Windows networking • MIME type/filename extension mismatch detection (T1036) - flags executables masquerading as PDFs • PowerShell firewall manipulation detection (T1685, T1059.001) targeting broad Windows Defender weakening Malware coverage includes VoidStealer v2, InfinitiStealer (macOS), Eagerbee backdoor, CountLoader, and Axios supply chain RAT samples. New rules detect storage[.]googleapis phishing, pastejacking PowerShell drops, and suspicious QR codes in HTML. Hunt for cmd.exe with fake/ambiguous arguments, AFD network handles in process listings, and PowerShell firewall profile modifications. #DFIR_Radar

Researchers have uncovered a large-scale campaign built around a multi-stage loader called CountLoader, which chains together #JavaScript, #PowerShell, and #Shellcode to deliver a payload that intercepts and redirects #crypto transactions.

McAfee Labs exposes a massive CountLoader campaign using EtherHiding and AMSI bypass to drop stealthy cryptocurrency clippers. Secure your assets! #CountLoader #CryptoClipper #EtherHiding #CyberSecurity #InfoSec #MalwareAnalysis #CryptoTheft securityonline.info/countloa…

McAfee found a large CountLoader campaign using multi-stage obfuscated delivery; sinkholing revealed 86,000 infections worldwide, about 5,000 hosts per minute, with USB spreading and a cryptocurrency clipper final payload. mcafee.com/blogs/other-blogs…

1/7 TrendAI™ researchers identified a large campaign cluster of LummaStealer deployed alongside Countloader malware primarily affecting the AMEA region. The campaign, which has been active since January 2026, shows sustained and coordinated operations.

Researchers Expose SVG and PureRAT Phishing Threats Targeting Ukraine and Vietnam A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and Pu... securityaid.co.uk/?p=37444&f…

Downloading cracked software or trusting random YouTube videos can open doors for sneaky malware like CountLoader and GachiLoader, which steal your info and avoid detection. Stay sharp — your security depends on it! 🛡️ #cybersecurity #malware Source: The Hacker News

CountLoader and GachiLoader Malware Campaigns Target Cracked Software Users cysecurity.news/2025/12/coun… #CyberAttacks #CyberDefender #cybersecurityrisks

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware thehackernews.com/2025/12/cr…

Cracked Software and YouTube Videos Spread CountLoader and GachiLoader Malware thehackernews.com/2025/12/cr…

🛑 Researchers uncovered a new malware campaign abusing cracked software sites to spread CountLoader. The loader uses fake ZIP files and trusted Windows tools to stay hidden, then deploys ACR Stealer to steal sensitive data. 🔗 Campaign details → thehackernews.com/2025/12/cr…

⚠️ Nueva amenaza detectada: CountLoader distribuido vía PDFs CountLoader utiliza PDFs manipulados como vector para entregar ransomware y sirve tanto para acceso inicial como para coordinar posteriores implantes. Está disponible en .NET, PowerShell y JScript (esta última la más completa). 💡 Recomendación: revisa la gestión de adjuntos PDF, aplica sandboxing para análisis y refuerza controles de entrada de correo. 🔗 Fuente: lnkd.in/eFeJRukJ