Ddos 
MintsLoader profile (Source: Recorded Future)
In a deep-dive threat analysis published on April 29, 2025, Recorded Future’s Insikt Group exposed the complex and stealthy workings of MintsLoader—a malicious loader now powering some of the most evasive malware campaigns seen across industrial, legal, and energy sectors. Through layered obfuscation, dynamic infrastructure, and sandbox evasion, MintsLoader has become a favorite tool among cybercriminals seeking persistent and quiet entry into corporate networks.
“MintsLoader employs advanced evasion techniques, including sandbox detection, virtual machine detection, and a domain generation algorithm (DGA) that creates daily-changing C2 domains based on the system date,” the report warns.
MintsLoader first appeared in campaigns as early as 2024, typically arriving via:
- Phishing emails carrying fake invoice attachments (often .js files),
- ClickFix and KongTuke pages disguised as CAPTCHA or email verification screens,
- SocGholish “FakeUpdate” websites masquerading as browser update prompts.
In one observed phishing campaign targeting energy and legal firms, users were duped into executing a copied PowerShell command that ultimately downloaded and ran the loader.
The MintsLoader infection chain follows a two-stage process:
Stage One: JavaScript
The initial JavaScript is heavily obfuscated, using junk code, base64 encoding, and cryptic variable names. Its only job is to invoke PowerShell to retrieve stage two.
“The script is heavily obfuscated using junk comments, non-readable variables and function names, character replacement, and string encoding,” the report notes.
Stage Two: PowerShell with Evasion Logic
Once the second stage is downloaded, the real intelligence kicks in. The PowerShell script:
- Bypasses AMSI (Antimalware Scan Interface),
- Checks for virtual machine/sandbox environments using obscure logic and system metadata,
- Uses a domain generation algorithm (DGA) to produce daily C2 domain names,
- Requests the final malware payload (e.g., GhostWeaver or StealC).
“This second stage conducts environment checks to determine whether it is running in a sandbox or virtualized setting…” If the system fails the environment checks, a decoy payload like AsyncRAT is served instead.
MintsLoader, used by various threat groups but extensively by TAG-124 (LandUpdate808), is deployed via multiple infection vectors, including TAG-124’s phishing emails targeting the industrial, legal, and energy sectors, SocGholish’s compromised websites impersonating browser updates, and invoice-themed lures distributed via Italy’s PEC certified email system.
Originally hosted on anonymous VPS providers, MintsLoader’s infrastructure has migrated to bulletproof hosting services including Inferno Solutions, indicating a shift toward long-term resilience.
Related Posts:
- MintsLoader Campaign Targets Critical Sectors with Sophisticated Malware Delivery
- Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
- C&C in the Clouds: OilRig Group Hijacks Microsoft Services for Espionage
- Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
Donate