Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting

Summary

MintsLoader, a malicious loader, was first observed in multiple phishing and drive-by download campaigns as early as 2024. The loader commonly deploys second-stage payloads such as GhostWeaver, StealC, and a modified BOINC Berkeley Open Infrastructure for Network Computing) client. MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts. The malware employs sandbox and virtual machine evasion techniques, a domain generation algorithm DGA, and HTTP-based command-and-control C2 communications.

MintsLoader has been observed being used by various threat groups; however, operators of TAG124 (also known as LandUpdate808 have used it extensively. The loader is deployed through multiple infection vectors, including phishing emails targeting the industrial, legal, and energy sectors TAG124; compromised websites impersonating browser update prompts SocGholish); and invoice-themed lures distributed via Italyʼs PEC certified email system.

MintsLoaderʼs use of obfuscation complicates static detections such as YARA rules, its use of DGA-based C2 infrastructure makes it difficult to maintain up-to-date watchlists or blocklists, and its anti-analysis techniques complicate host-based detections that rely on sandboxes or virtualization. But Recorded Futureʼs Malware Intelligence Hunting identifies new MintsLoader samples and associated C2 domains and provides an up-to-date list for blocklists or threat hunting.

MintsLoaderʼs persistent use of obfuscation, sandbox evasion, and adaptive infrastructure likely ensures its continued presence within the malware ecosystem, likely leading to increased use by additional threat actors. The malwareʼs role as a versatile delivery mechanism reflects the increasing professionalization and specialization within the cybercriminal community. While this growing sophistication benefits threat actors by enabling more resilient and efficient operations, it may simultaneously provide opportunities for defenders to identify and disrupt malicious activity more effectively and at scale.

Key Findings

• MintsLoader's second-stage PowerShell script uses sandbox and virtual environment evasion techniques, reducing its susceptibility to automated analysis and increasing its likelihood of bypassing dynamic detection tools.

• MintsLoader's use of a DGA to generate daily C2 domains based on the system date complicates infrastructure monitoring activity and domain/IP-based detections.

• Recorded Future’s Malware Intelligence Hunting provides up-to-date C2 domains and other artifacts related to MintsLoader that would otherwise be hard to track due to its dynamic infrastructure.

• Insikt Group shows that GhostWeaver is the primary payload deployed by MintsLoader across observed campaigns.

• GhostWeaver’s self-signed X.509 certificates are similar to those of AsyncRAT and variants of AsyncRAT, leading to initial false associations with other malware families such as AsyncRAT.

Background

Orange Cyberdefense first detected MintsLoader in widespread distribution campaigns between July and October 2024. Insikt Group identified earlier campaigns in February 2024, based on Palo Altoʼs Unit42 analysis of a SocGholish infection.

The loader consists of JavaScript (stage one) and PowerShell (stage two) scripts retrieved from multiple DGA-based domains. The name “MintsLoaderˮ is derived from its distinctive use of the URL parameter s=mints[NUMBER] (for example, s=mints11). MintsLoader is typically observed in campaigns delivering secondary payloads such as GhostWeaver, StealC, and the Berkeley Open Infrastructure for Network Computing BOINC client.

While MintsLoader is believed to be used by multiple threat actors, TAG124 (also known as LandUpdate808 infections have frequently been observed deploying MintsLoader. Additionally, threat actors using SocGholish were early adopters of MintsLoader, resulting in the initial assessment of MintsLoader campaigns as being exclusively associated with SocGholish. For example, in February 2024, Palo Altoʼs Unit42 released indicators linked to SocGholish (Figure 2); however, Insikt Group's analysis indicates that the URLs identified as delivering AsyncRAT also align with known MintsLoader URL patterns.

Similarly, in July 2024, Huntress Labs reported a SocGholish infection delivering a BOINC client. Notably, the URL used to download the BOINC matches known MintsLoader URL patterns. Figure 3 shows a high-level overview of the threat actors that use MintsLoader.

Below are recently reported campaigns involving MintsLoader.

MintsLoader and Kongtuke/ClickFix pages

In early 2025, security analysts observed a phishing campaign delivering MintsLoader as a first-stage loader. Phishing emails (targeting the energy, oil and gas, and legal sectors in the US and Europe ) carried either a malicious JavaScript attachment or a link to a fake “Click to verifyˮ web page . Figure 4 shows examples of ClickFix pages.

In both cases, the result was the execution of MintsLoaderʼs PowerShell-based second stage on the victimʼs machine. This loader pulled down the final payloads, notably the StealC infostealer and a modified BOINC client build. The campaign leveraged fake CAPTCHA verification pages ClickFix/KongTuke lures) to trick users into executing a copied PowerShell command, which downloaded and ran MintsLoader (Figure 5).

Other infection chains in this campaign delivered MintsLoader via a downloaded ‘Fattura########.jsʼ file Italian for “invoiceˮ) that victims opened, leading to the same PowerShell loader execution . Researchers at eSentireʼs Threat Response Unit reported this campaign and noted the threat actorsʼ focus on industrial and professional services targets across North America and Europe .

SocGholish “FakeUpdatesˮ Campaigns

Multiple reports indicate (1, 2) that the SocGholish FakeUpdates) threat actors incorporated MintsLoader into their operations. Starting around July 2024, SocGholish infections from compromised websites showed infection chains installing the BOINC-distributed computing client via MintsLoader .

In this drive-by campaign, shown in Figure 6, victims browsing legitimate but compromised sites encountered fake browser update prompts (often originating from an update.js script) . If run, the malicious JavaScript fetched an obfuscated MintsLoader payload, kicking off a multi-step PowerShell sequence.

Huntress Labs documented two parallel outcomes: one branch resulted in a fileless AsyncRAT running in memory, while the other led to a stealth BOINC installation under attacker control . The BOINC deployment was notably modified and configured to connect to a malicious C2 rather than the standard BOINC server.

In some cases, the GhostWeaver PowerShell backdoor (tracked by Mandiant as UNC4108 was also delivered via MintsLoader, providing attackers with a persistent foothold and a platform to load additional plugins.

Invoice Phishing in Europe

Another MintsLoader campaign in late 2024 targeted European organizations via invoice-themed phishing emails, an example of which is shown in Figure 7. Spam messages leveraged Italyʼs PEC (certified email) system to add legitimacy and lured recipients into opening attached JavaScript files masquerading as invoices. The Spamhaus research team dubbed this the “PEC invoice scamˮ and highlighted how the attackers abused trusted email channels to bypass security checks. This campaign was noted for “stealing time, money, and trust from businesses.ˮ