MintLoader
MintLoader is a malware payload/loader observed in intrusions attributed to the Interlock ransomware group. Reported Interlock attacks often begin with a MintLoader infection, likely delivered through ClickFix social engineering. In the documented 2025 intrusion against a North American education organization, initial access was assessed as originating from a MintLoader infection on an end-user laptop on March 31, 2025, based on distinct PowerShell activity. That initial chain included a PowerShell download cradle retrieving a payload from 138[.]199[.]156[.]22:8080/<time_since_epoch>, followed by use of a ZIP archive named download.zip containing a legitimate Node.js runtime (node.exe) to execute a malicious JavaScript payload. MintLoader is described as executing the NodeSnakeRAT implant, which Interlock then used for persistence and lateral movement. The broader Interlock intrusion set also involved valid-account abuse, living-off-the-land techniques, data exfiltration with AZcopy, and later ransomware deployment against Windows endpoints and Nutanix hypervisors. High-confidence infrastructure and artifacts directly tied to the MintLoader-linked initial access chain include 138[.]199[.]156[.]22:8080/<time_since_epoch>, download.zip, node.exe, and the JavaScript payload j1wp4vw8.log (SHA1: 63FD5E0811C0BCC7DF9FC3D712F39F829A8D6FF0). Targeting described in the source material centers on U.S. and U.K. education organizations affected by Interlock operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Interlock ... concealed ... through the custom Hotta Killer evasion tool, which harnesses a zero-day flaw in the legitimate gaming anti-cheat driver GameDriverx64.sys, tracked as CVE-2025-61155, as part of a Bring Your Own Vulnerable Driver attack. ... kernel termination of security software prior to encryption activities.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Interlock leveraged ClickFix social engineering tactics to deploy the MintLoader payload that executed the NodeSnakeRAT implant for lateral network movement...
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique"Interlock leveraged ClickFix social engineering tactics to deploy the MintLoader payload"
Command and Control
1 technique"deploy the MintLoader payload that executed the NodeSnakeRAT implant"
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Loader implicated as the initial access vector preceding Interlock activity.
A loader payload used by Interlock to deploy follow-on implants (notably NodeSnakeRAT) in support of intrusion activity preceding ransomware deployment.
Initial infection/loader used early in the intrusion chain to establish a foothold prior to follow-on activity.
Initial access/first-stage loader infection used at the start of the intrusion chain that preceded longer-term persistence and later ransomware deployment.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.