
A sophisticated malware campaign utilizing MintsLoader has been discovered targeting electricity, oil and gas, and legal services sectors across the United States and Europe. The campaign, detected in early January 2025, employs advanced social engineering tactics and multiple malware components.
The attack chain begins with spam emails containing links to fake CAPTCHA verification pages (known as Kongtuke/ClickFix) or malicious JavaScript files. Users are tricked into executing PowerShell scripts, leading to the deployment of MintsLoader, a PowerShell-based loader malware.
Key Features of MintsLoader:
– Sophisticated evasion techniques
– Domain Generation Algorithm (DGA) for C2 communication
– Delivery of secondary payloads including StealC stealer
– Geographic targeting excluding Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan
The campaign primarily distributes StealC, a malware-as-a-service information stealer, and BOINC, a legitimate network computing platform. The malware employs multiple stages of obfuscation and anti-analysis measures to avoid detection.
This campaign coincides with the emergence of Astolfo Loader (Jinx V3), a C++ rewrite of JinxLoader, and ongoing GootLoader campaigns utilizing SEO poisoning to compromise WordPress sites. GootLoader operations implement sophisticated IP-based restrictions and geofencing to target specific regions while avoiding detection.
The increasing sophistication of these campaigns highlights the evolving threat landscape targeting critical infrastructure sectors through advanced malware delivery mechanisms.