Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting www.recordedfuture.com/research/…

MintsLoader, a malicious loader, was first observed in multiple phishing and drive-by download campaigns as early as 2024. The loader commonly deploys second-stage payloads such as GhostWeaver, StealC, and a modified BOINC (Berkeley Open Infrastructure for Network Computing) client. MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts. The malware employs sandbox and virtual machine evasion techniques, a domain generation algorithm (DGA), and HTTP-based command-and-control (C2) communications.

MintsLoader has been observed being used by various threat groups; however, operators of TAG-124 (also known as LandUpdate808) have used it extensively. The loader is deployed through multiple infection vectors, including phishing emails targeting the industrial, legal, and energy sectors (TAG-124); compromised websites impersonating browser update prompts (SocGholish); and invoice-themed lures distributed via Italy’s PEC certified email system.