The cyber threat landscape in 2024 and early 2025 has been notably shaped by the emergence of MintsLoader, a highly obfuscated malware loader known for deploying sophisticated second-stage payloads such as GhostWeaver, StealC, and a modified BOINC client.
MintsLoader distinguishes itself through intricate infection chains and an advanced suite of anti-analysis techniques-most notably, its robust sandbox and virtual machine (VM) evasion strategies.
Multi-Stage Delivery and Advanced Obfuscation
First observed in widespread phishing and drive-by download campaigns, MintsLoader operates through a dual-layered attack chain.
Initial infection is typically executed via heavily obfuscated JavaScript delivered either as a malicious email attachment or via a compromised website that mimics legitimate browser update prompts.
Upon execution, the JavaScript launches a PowerShell script (the second stage), which has been meticulously crafted to evade both static and dynamic analysis.
MintsLoader’s obfuscation techniques render standard detection methods such as YARA rules less effective, while its adaptive Domain Generation Algorithm (DGA)-which calculates command-and-control (C2) domains based on the system date-thwarts traditional blocklists and complicates ongoing infrastructure monitoring.
Its C2 communications are conducted over HTTP, a vector that can be monitored for threat hunting but remains challenging due to the shifting nature of the DGA-generated endpoints.
Sandbox and Virtualization Evasion
A key innovation in MintsLoader lies in the evasion routines embedded within its PowerShell second stage.
Upon execution, the script conducts multiple environment checks to determine if it is running in a real system or an analysis environment such as a sandbox or VM.
These checks include querying system hardware traits and leveraging non-obvious logical expressions to generate a unique “key,” which is transmitted back to the C2 server alongside system information.
The server then decides whether to deliver a real payload-such as GhostWeaver or StealC-or a decoy, effectively sidestepping most automated dynamic analysis systems.
Moreover, anti-analysis features are reinforced by bypasses for security technologies like Microsoft’s Antimalware Scan Interface (AMSI), making forensic analysis and containment significantly more complex for defenders.
Throughout 2024 and into 2025, MintsLoader has been leveraged by multiple threat actor groups, most prolifically by TAG-124 (LandUpdate808) and operators associated with the SocGholish (FakeUpdates) malware framework.
Targeted sectors include industrial, legal, and energy organizations, as well as businesses across Europe and North America.
Initial infection vectors often involve invoice-themed phishing campaigns that exploit trusted communication channels, such as Italy’s PEC certified email system, to bypass traditional email security controls.
Once established, MintsLoader’s modularity allows it to deliver a range of secondary malware.
GhostWeaver, its most frequently observed payload, is itself a robust PowerShell-based remote access trojan (RAT) that can deploy additional malicious modules and is capable of operating with stealth thanks to encrypted TLS communications.
Technical analyses reveal that MintsLoader’s operators have progressively migrated their C2 infrastructure to more resilient, bulletproof hosting providers, reducing susceptibility to law enforcement takedowns.
This evolution-coupled with the loader’s persistent use of obfuscation and evasion-underscores a broader trend toward professionalized, collaborative threat actor ecosystems.
Security analysts and intelligence teams, such as those at Recorded Future and Orange Cyberdefense, continue to track MintsLoader’s evolving mechanisms, offering updated indicators of compromise (IOCs) and dynamic blocklists.
Nevertheless, its ability to adapt, evade, and deliver increasingly diverse payloads make MintsLoader a persistent and formidable threat within the malware ecosystem, with ongoing campaigns expected to intensify in sophistication and scale throughout 2025.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
