MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks

April 29, 2025, 9:53 p.m.

Description

MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion techniques, a domain generation algorithm, and HTTP-based C2 communications. Various threat groups, including TAG-124 and SocGholish operators, utilize MintsLoader to target industrial, legal, and energy sectors. The loader's sophisticated obfuscation and evasion methods complicate detection, but Recorded Future's Malware Intelligence Hunting provides up-to-date information on new samples and C2 domains.

External References

https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting
https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg
https://otx.alienvault.com/pulse/681113e0e23f344e6f364fb1
Tags
phishing
socgholish
asyncrat
stealc
drive-by download
boinc
mintsloader
tag-124
ghostweaver
2025-04-29
multi-stage loader

Date

  • Created: April 29, 2025, 6:01 p.m.
  • Published: April 29, 2025, 6:01 p.m.
  • Modified: April 29, 2025, 9:53 p.m.

Attack Patterns

  • GhostWeaver
  • MintsLoader
  • StealC
  • AsyncRAT
  • TAG-124

Additional Informations

  • Energy
  • Legal
  • Manufacturing
  • Italy