MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool in the arsenal of multiple threat actors, including the notorious TAG-124 (LandUpdate808) and SocGholish groups.
This malware, identified in phishing and drive-by download campaigns, employs advanced evasion techniques to bypass traditional security measures, making it a persistent challenge for defenders.
MintsLoader’s multi-stage infection chain, involving obfuscated JavaScript and PowerShell scripts, facilitates the deployment of second-stage payloads like GhostWeaver, StealC, and a modified Berkeley Open Infrastructure for Network Computing (BOINC) client.
.png
)
Its sophisticated design, marked by sandbox and virtual machine evasion tactics, a domain generation algorithm (DGA) for command-and-control (C2) communications, and HTTP-based interactions, underscores the increasing professionalization within the cybercriminal ecosystem.
Recorded Future’s Malware Intelligence Hunting has been pivotal in tracking MintsLoader’s dynamic infrastructure, revealing its frequent use across sectors like energy, legal, and industrial, particularly through phishing emails and fake browser update prompts.
Technical Intricacies of Evasion and Deployment
Delving into the technical underpinnings, MintsLoader operates through a meticulously crafted attack chain that begins with heavily obfuscated JavaScript (stage one), which executes PowerShell commands to retrieve a second-stage payload.
This PowerShell script performs environment checks to detect sandboxes or virtualized settings, using system queries like Win32_VideoController and Win32_CacheMemory to determine if it’s running on bare metal or an emulated environment.
Results influence a key variable sent to the C2 server, dictating whether a decoy or final payload is delivered.
The loader’s DGA generates daily C2 domains based on system date, complicating static detection and infrastructure monitoring efforts while its anti-analysis mechanisms thwart automated tools reliant on virtualization.
Campaigns observed between February 2024 and early 2025, as reported by Insikt Group and Orange Cyberdefense, highlight MintsLoader’s adaptability, with infection vectors ranging from invoice-themed lures via Italy’s PEC email system to fake CAPTCHA pages (ClickFix/KongTuke) tricking users into running malicious commands.
Notably, GhostWeaver, a PowerShell-based RAT often misclassified as AsyncRAT due to similar self-signed X.509 certificates, is a primary payload, alongside StealC and BOINC variants configured for malicious C2 connections.
MintsLoader’s infrastructure resilience is evident in its shift to bulletproof hosting providers like SCALAXY-AS and Stark Industries Solutions, a move likely aimed at evading takedowns.
This loader’s persistent obfuscation and adaptive strategies suggest it will remain a fixture in the malware landscape, offering cyber defenders both challenges and opportunities to disrupt operations at scale.
As threat actors continue leveraging MintsLoader for targeted attacks across North America and Europe, the cybersecurity community must prioritize dynamic threat hunting and real-time C2 tracking to counter its stealthy delivery of devastating payloads.
This malware exemplifies how specialization in cybercrime can amplify operational efficiency, urging a proactive stance to mitigate its impact before it proliferates further among diverse threat groups.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
