{
  "name": "MintsLoader Malware Analysis: Multi-Stage Loader Used in Cyber Attacks",
  "slug": "mintsloader-malware-analysis-multi-stage-loader-used-in-cyber-attacks",
  "description": "MintsLoader, a malicious loader first observed in 2024, is employed in phishing and drive-by download campaigns to deploy payloads like GhostWeaver, StealC, and modified BOINC clients. It uses obfuscated JavaScript and PowerShell scripts in a multi-stage infection chain, featuring sandbox evasion techniques, a domain generation algorithm, and HTTP-based C2 communications. Various threat groups, including TAG-124 and SocGholish operators, utilize MintsLoader to target industrial, legal, and energy sectors. The loader's sophisticated obfuscation and evasion methods complicate detection, but Recorded Future's Malware Intelligence Hunting provides up-to-date information on new samples and C2 domains.",
  "published": "2025-04-29T16:01:04+00:00",
  "created_at": "2025-04-29T16:01:04+00:00",
  "modified_at": "2025-04-29T19:53:44+00:00",
  "created_at_opencti": "2025-04-29T16:01:04+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-04-29",
    "asyncrat",
    "boinc",
    "drive-by-download",
    "ghostweaver",
    "mintsloader",
    "multi-stage loader",
    "phishing",
    "socgholish",
    "stealc",
    "tag-124"
  ],
  "related_entities": {
    "malware": [
      {
        "id": "legacy:malware:5172c414437a14ed",
        "name": "GhostWeaver",
        "slug": "ghostweaver"
      },
      {
        "id": "038e063c-cead-4de8-902e-d6fabcd78a08",
        "name": "MintsLoader",
        "slug": "mintsloader"
      },
      {
        "id": "legacy:malware:bd5e900cb57b2f39",
        "name": "StealC",
        "slug": "stealc"
      },
      {
        "id": "legacy:malware:4fcb3099e8f330ca",
        "name": "AsyncRAT",
        "slug": "asyncrat"
      }
    ],
    "intrusion_sets": [
      {
        "id": "66fab1e9-3b18-40e3-af75-d8930920014c",
        "name": "TAG-124",
        "slug": "tag-124"
      }
    ],
    "attack_patterns": [
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "52b92395-d3d3-4e05-976a-0fccccfce8d2",
        "name": "T1566.002"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Italy"
      },
      {
        "id": "",
        "name": "Energy"
      },
      {
        "id": "",
        "name": "Legal"
      },
      {
        "id": "",
        "name": "Manufacturing"
      }
    ]
  },
  "external_refs": [
    "https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting",
    "https://cms.recordedfuture.com/uploads/format_webp/BLOG_cta_2025_0429_Main_Feature_e924c36cbd.jpg",
    "https://otx.alienvault.com/pulse/681113e0e23f344e6f364fb1"
  ]
}