\n<\/p>\n
The malware loader known as **MintsLoader** has been used to deliver a PowerShell-based remote access trojan called GhostWeaver.<\/p>\n
“MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts,” Recorded Future’s Insikt Group said in a report shared with The Hacker News.<\/p>\n
“The malware employs sandbox and virtual machine evasion techniques, a domain generation algorithm (DGA), and HTTP-based command-and-control (C2) communications.”<\/p>\n
Phishing and drive-by download campaigns distributing MintsLoader have been detected in the wild since early 2023, per Orange Cyberdefense. The loader has been observed delivering various follow-on payloads like StealC and a modified version of the Berkeley Open Infrastructure for Network Computing (BOINC) client.<\/p>\n
<\/p>\n
The malware has also been put to use by threat actors operating e-crime services like SocGholish (aka FakeUpdates) and LandUpdate808 (aka TAG-124), distributing via phishing emails targeting the industrial, legal, and energy sectors and fake browser update prompts. <\/p>\n
<\/p>\n
In a notable twist, recent attack waves have employed the increasingly prevalent social engineering tactic called ClickFix to trick site visitors into copying and executing malicious JavaScript and PowerShell code. The links to ClickFix pages are distributed via spam emails.<\/p>\n
“Although MintsLoader functions solely as a loader without supplementary capabilities, its primary strengths lie in its sandbox and virtual machine evasion techniques and a DGA implementation that derives the C2 domain based on the day it is run,” Recorded Future said.<\/p>\n
<\/p>\n
These features, coupled with obfuscation techniques, enable threat actors to hinder analysis and complicate detection efforts. The primary responsibility of the malware is to download the next-stage payload from a DGA domain over HTTP by means of a PowerShell script.<\/p>\n
GhostWeaver, according to a report from TRAC Labs earlier this February, is designed to maintain persistent communication with its C2 server, generate DGA domains based on a fixed-seed algorithm based on the week number and year, and deliver additional payloads in the form of plugins that can steal browser data and manipulate HTML content.<\/p>\n
<\/p>\n
“Notably, GhostWeaver can deploy MintsLoader as an additional payload via its sendPlugin command. Communication between GhostWeaver and its command-and-control (C2) server is secured through TLS encryption using an obfuscated, self-signed X.509 certificate embedded directly within the PowerShell script, which is leveraged for client-side authentication to the C2 infrastructure,” Recorded Future said.<\/p>\n
The disclosure comes as Kroll revealed attempts made by threat actors to secure initial access through an ongoing campaign codenamed CLEARFAKE that leverages ClickFix to lure victims into running MSHTA commands that ultimately deploy the Lumma Stealer malware.<\/p>\n
Found this article interesting? Follow us on Twitter _\uf099_ and LinkedIn to read more exclusive content we post.\n<\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks Update ID THN:35F97332E35D8885BFE3E8931B513634 Type thn Published…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,13,33,7,11,43,5],"class_list":["post-2336","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-news","tag-none","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n
MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=2336\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks Update ID THN:35F97332E35D8885BFE3E8931B513634 Type thn Published...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=2336\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-02T07:01:43+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2336#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2336\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks\",\"datePublished\":\"2025-05-02T07:01:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2336\"},\"wordCount\":576,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"thn\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=2336#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2336\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2336\",\"name\":\"MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-02T07:01:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2336#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=2336\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=2336#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=2336","og_locale":"en_US","og_type":"article","og_title":"MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks - zero redgem","og_description":"Security Update News Update Information Title MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks Update ID THN:35F97332E35D8885BFE3E8931B513634 Type thn Published...","og_url":"https:\/\/zero.redgem.net\/?p=2336","og_site_name":"zero redgem","article_published_time":"2025-05-02T07:01:43+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=2336#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=2336"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks","datePublished":"2025-05-02T07:01:43+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=2336"},"wordCount":576,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","news","NONE","Security","tapic","thn","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=2336#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=2336","url":"https:\/\/zero.redgem.net\/?p=2336","name":"MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-02T07:01:43+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=2336#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=2336"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=2336#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"MintsLoader Drops GhostWeaver via Phishing, ClickFix \u2014 Uses DGA, TLS for Stealth Attacks"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/2336","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2336"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/2336\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}