{
	"id": "5d6c4b90-5bbf-4c4e-aea0-6162e485e4e1",
	"created_at": "2026-04-06T00:17:01.350271Z",
	"updated_at": "2026-04-10T13:13:00.50437Z",
	"deleted_at": null,
	"sha1_hash": "3d486a648c557297dd3abd246d6af1d69a47b54e",
	"title": "New MintsLoader Variant Using Hashtable Obfuscation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77377,
	"plain_text": "New MintsLoader Variant Using Hashtable Obfuscation\r\nArchived: 2026-04-05 14:41:55 UTC\r\nBlackpoint’s SOC recently responded to an intrusion that initially looked like another routine Fake Captcha chain,\r\nbut it quickly became clear the threat actor was working with a more refined version\r\nof MintsLoader than what’s typically seen.\r\nThe first foothold came from a Finger request, a decades-old protocol that still lingers on modern systems and has\r\nbecome an appealing delivery mechanism for recent Fake Captcha and ClickFix campaigns. The Finger query\r\npulled down the first PowerShell stager and executed it in memory, kicking off a familiar chained progression of\r\nlightweight loaders, GUID-based staging URLs, and a deterministic domain generation used to cycle through\r\ncandidate domains until one returns the next payload.\r\nAt a glance, the flow matched what the SOC has come to expect from this ecosystem. But the final stage\r\nintroduced a noticeable twist. Instead of relying on the simple string scrambling and arithmetic tricks seen in\r\nearlier variants, this sample used a full Hashtable based decoding system to conceal its internal strings and\r\nembedded payload. It’s a noticeably more sophisticated approach than what MintsLoader normally uses,\r\nreflecting how the family’s obfuscation has continued to evolve.\r\nKey Findings\r\nInitial access came through a Finger request that quietly pulled and ran a PowerShell stager in memory.\r\nThe early loaders followed the expected MintsLoader pattern, passing execution down a chain of\r\nlightweight PowerShell stages.\r\nThe script generated ten .top domains using MintsLoader’s deterministic domain\r\ngeneration to retrieve the next payload. \r\nEach staging request used the familiar 1.php?s=\u003cGUID\u003e format that shows up\r\nacross MintsLoader activity.\r\nResponses from a working domain were executed immediately through a familiar Invoke-Expression alias, mitresa.\r\nThe final stage introduced a Hashtable based decoder, a more structured obfuscation method than earlier\r\nvariants.\r\nA base64-encoded, Gzip-compressed .NET assembly was unpacked in memory and invoked via reflection.\r\nWhile the overall flow was typical for Fake Captcha linked MintsLoader cases, the new Hashtable layer\r\nstood out as a notable evolution.\r\nObserved Kill Chain\r\nhttps://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/\r\nPage 1 of 8\n\nFinger on the Trigger\r\nThe incident began with a command that leaned on a tool most people haven’t thought about since dial-up.\r\nThe Finger client was originally designed as a simple way to query basic user information from remote systems, a\r\nkind of early “who’s online” lookup service. It was never built with security in mind, and over the years it slipped\r\ninto obscurity as modern protocols took over. That quiet retirement is exactly what makes it appealing again,\r\nbecause it sits in that awkward space where it still exists on many Windows systems, yet almost no one is\r\nwatching it.\r\nThat gap is now being exploited by several ClickFix and Fake Captcha campaigns, which have started\r\nrepurposing Finger as a low noise delivery mechanism. In this case, the host launched a minimized shell that\r\nissued a request with finger.exe to cloudflare@cfcheckver[.]top, a pairing that fits neatly into the Fake\r\nCloudflare Captcha theme these campaigns rely on. Whatever text that server returns is then piped straight\r\ninto cmd for immediate execution. For the operator, this is ideal. It avoids file writes, blends into background\r\nactivity, and slips under a lot of defensive radar simply because it abuses a tool that most people do not expect to\r\nbe part of a modern intrusion.\r\nInitial Fake Captcha abusing Finger to pull and execute remote content.\r\nThe response received from the Finger command is the first stage of a MintsLoader payload, a loader family that\r\nhas become increasingly common in Fake Captcha and ClickFix intrusion chains. MintsLoader is built around a\r\nmodular, multi-stage design where each component does just enough work to move execution forward while\r\nkeeping the entire chain in memory. Instead of dropping a large, monolithic loader, it relies on small PowerShell\r\nstagers, obfuscated URL builders, and lightweight download cradles to remain quiet and flexible.\r\nThe powershell.exe -w h -e \u003cbase64\u003e command that follows is how this first stage begins, launching PowerShell\r\nin a hidden window and running the attacker’s encoded script without exposing any readable code on disk.\r\nhttps://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/\r\nPage 2 of 8\n\nDecoded Stage 1 MintsLoader PowerShell script.\r\nLooking at the decoded PowerShell, the script starts by quietly setting up its tools. It builds the string curl in\r\npieces and assigns it to the alias mitresa, a name that consistently appears across MintsLoader samples and\r\nserves as one of its more recognizable fingerprints. After establishing that alias, the script iterates through a long\r\narray of integers, subtracts 6820 from each value, and converts the result into a character. As the loop progresses,\r\nthose characters assemble into the real destination URL, which follows the familiar MintsLoader pattern of\r\na 1.php endpoint paired with an ?s= query parameter containing a GUID.\r\nOnce the URL is rebuilt, the script stores it in a state array and immediately pivots into execution. The final line\r\ndynamically constructs iex through a small arithmetic trick, then evaluates the output of mitresa -useb $url.\r\nEffectively, it retrieves the next stage through the aliased curl command and runs the returned PowerShell directly\r\nin memory. This stage stays lightweight, hides infrastructure behind obfuscation, and transitions execution to the\r\nnext part of the MintsLoader chain.\r\nDeobfuscated MintsLoader logic used to fetch and execute the next stage.\r\nThe next stage shifts into MintsLoader’s characteristic Domain Generation Algorithm (DGA), which is a pattern\r\nseen across many of its campaigns. It initializes a System.Random object using a seed derived from the system’s\r\nday of year, performs a small arithmetic adjustment, and multiplies the result by a large constant. Even though the\r\noutput looks random, it actually isn’t. This deterministic seeding method allows the operator to reproduce the\r\nexact same set of domains on their end, while anyone analyzing the script only sees what looks like arbitrary\r\nhttps://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/\r\nPage 3 of 8\n\nnoise. It’s a predictable algorithm masquerading as randomness, which is a well-established MintsLoader technique.\r\nSeed formula behind MintsLoader’s domain generation algorithm.\r\nOnce the RNG is seeded, the loader generates ten candidate domains by assembling fifteen-character strings from\r\na lowercase alphanumeric set and appending the .top TLD. It then iterates through each of these\r\ndomains, attempting to reach the familiar 1.php?s=\u003cGUID\u003e path using curl and piping any response directly\r\ninto iex for in-memory execution. The loop breaks as soon as one domain returns a valid payload. This gives the\r\noperator resiliency without needing a large set of active servers, since only one domain needs to resolve for the\r\nchain to continue, and the deterministic DGA makes that coordination easy while still complicating simple\r\nblocklisting or static detection.\r\nDGA loop producing ten .top domains and testing each for the next stage.\r\nOnce the loader reaches a responsive domain, it retrieves the next PowerShell script in the chain, and this is where\r\nthe sample starts to diverge from what is normally seen in MintsLoader campaigns. The script begins with a\r\nhttps://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/\r\nPage 4 of 8\n\ndedicated decoder routine, but instead of relying on the simple arithmetic tricks used earlier, it adopts a new, very\r\nunique obfuscation strategy.\r\nAt the center of this design is a Hashtable, which in PowerShell is essentially a fast lookup table that stores key-value pairs. In this case, each key is a three-character token and each value is the byte it represents. The loader\r\nbuilds this table up front, then processes its encoded strings in fixed three-character chunks. Each token is\r\nresolved through the Hashtable and translated back into its original byte, gradually reconstructing the underlying\r\nstrings the script depends on. It’s a more organized and flexible obfuscation approach than what typically appears\r\nin MintsLoader, and it allows the operators to hide a large number of values with very little visible encoding\r\nlogic.\r\nDeobfuscated Hashtable driven decoder function.\r\nAfter defining the decoder function, the script shifts into its main payload logic. It initializes a large base64\r\nblob containing an embedded .NET assembly, decodes and Gzip decompresses it, then loads the resulting binary\r\ndirectly into memory using System.Reflection.Assembly::Load. Once the assembly is in place, the\r\nscript identifies its Main method and invokes it via reflection, bringing a compact .NET component into the\r\nprocess. That assembly acts as a helper runtime for later stages, providing utilities such as dynamic assembly\r\nloading and method invocation for later stages.\r\nDecoding and loading the embedded .NET assembly directly into memory.\r\nWith the .NET helper assembly loaded, the script moves on to generating the next set of Command and Control\r\n(C2) domains. Using the same DGA pattern described earlier, it creates ten candidate domains by selecting fifteen\r\ncharacters from a lowercase alphanumeric alphabet and appending the .top TLD. This produces the week’s full\r\nhttps://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/\r\nPage 5 of 8\n\npool of potential endpoints; all derived from the shared seed logic already discussed. Rather than embedding any\r\nstatic infrastructure in the script, the loader relies on this rotating domain list as its discovery mechanism, testing\r\neach domain in sequence until one returns the follow-on payload just as it did in the last stage.\r\nDeterministic weekly DGA routine generating ten fifteen-character .top domains.\r\nWith the domain list ready, the loader shifts to building the parameters for its C2 requests. It pulls the local\r\nhostname from $env:COMPUTERNAME and generates a six-digit identifier unique to the host, both of which\r\nare included in the query string to support tracking and triage on the operator’s side. For each generated domain,\r\nthe script formats a request to the /st2 path, inserting the campaign’s static GUID along with the hostname and\r\nhost key. Before entering the loop, it also creates the alias printconsole, which is simply a renamed Invoke-Expression call that will be used to execute whatever the C2 server returns.\r\nThe loader cycles through the ten generated domains, sending a curl request to each in sequence. The first domain\r\nthat returns a valid response immediately has its content passed into printconsole, executing the payload directly\r\nwithin the current PowerShell process. Once a payload runs successfully, the loop stops and control moves\r\nforward into the newly delivered stage.\r\nC2 request loop that builds DGA URLs and executes the first valid server reply. \r\nThis final lookup loop is the true handoff point in the chain. By executing whatever the server returns, the loader\r\ngives the operator full control over the final payload at run time instead of baking anything into the script or the\r\nembedded assembly. Everything leading up to this moment is simply deterministic staging meant to reach an\r\nactive domain and wait for instructions. Whichever domain responds first becomes the delivery channel for\r\nwhatever tasking or malware the operator chooses to supply next.\r\nhttps://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/\r\nPage 6 of 8\n\nOverall, the incident followed the familiar Fake Captcha into MintsLoader flow that has become fairly routine in\r\nthese campaigns, but the final stage introduces a twist that makes this variant stand out. The introduction of\r\na Hashtable driven decoder, along with the structured token mapping it relies on, represents a noticeable shift in\r\nhow these operators are approaching obfuscation. It’s a more deliberate technique than usual for MintsLoader,\r\noffering a cleaner way to hide its inner logic. The killchain is familiar, but this added complexity shows the\r\ntooling is continuing to evolve.\r\nMethodology \u0026 Attribution \r\nThis activity closely matches what has been observed in MintsLoader campaigns, particularly in how the chain is\r\ndesigned to move execution forward entirely in memory. It begins with a lightweight bootstrap and quickly\r\ntransitions into obfuscated PowerShell, where next stage URLs are rebuilt at runtime and executed\r\nthrough curl.exe piped into Invoke-Expression, without writing scripts to disk.\r\nSeveral core mechanics strongly align with MintsLoader tradecraft. The loader consistently uses PHP based\r\nstaging via a 1.php?s=\u003cGUID\u003e endpoint, and repeatedly relies on alias driven execution, including\r\nthe mitresa curl alias that has been seen across other MintsLoader campaigns.\r\nInfrastructure resiliency is handled through MintsLoader’s characteristic deterministic DGA routine. Domains are\r\ngenerated from a time-based seed tied to the week, producing a predictable set of 15-\r\ncharacter alphanumeric .top candidate domains that the operator can reproduce, while defenders only see what\r\nlooks like random rotation. The loader then iterates until one domain responds and immediately executes the\r\nreturned stage in memory.\r\nWhere this variant stands out is in the obfuscation used in the final stage. Instead of relying on the simpler string\r\nrecovery and arithmetic tricks seen in earlier samples, it introduces a Hashtable driven decoding mechanism that\r\nhas not been observed in prior MintsLoader variants. This shift represents a clear evolution in how the loader\r\nconceals its internal logic while still preserving the core delivery patterns that define the MintsLoader family.\r\nRecommendations\r\nEducate end users on Fake Captcha and ClickFix style prompts that ask them to run “verification”\r\ncommands.\r\nUse Group Policy to restrict or disable access to the Run dialog for users who do not require it\r\noperationally.\r\nRestrict access to cmd.exe and PowerShell for users who do not need them as part of normal workflow.\r\nMonitor for unexpected use of the Finger client or any nonstandard network traffic associated with it, since\r\nlegitimate use is extremely rare in modern environments.\r\nImplement DNS monitoring and filtering to block newly registered domains or low reputation TLDs\r\ncommonly used for malware staging.\r\nIndicators of Compromise (IOCs)\r\nNetwork\r\nhttps://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/\r\nPage 7 of 8\n\nType Indicator Context / Notes\r\nDomain cfcheckver[.]top Initial ClickFix Domain\r\nDomain snau382[.]top MintsLoader Delivery\r\nFiles \r\nFilename Hash\r\nContext\r\n/ Notes\r\nN/A 456e1a5fc887cda944eb50b92da8d6c27996df359c16c575eb02028b1712cac2\r\nStage 2\r\nPayload\r\nN/A a33932cc53e74f7b77c8c9b377acabcdeb6515e5b9d9f284fd1e9e3e0d61ef5e\r\nStage 3\r\nPayload\r\nN/A 4894f921b23384b4b3a870451d41e4bd282d0b419be6080c21e8c0381deb92dd\r\nStage 4\r\nPayload\r\nSource: https://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/\r\nhttps://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/"
	],
	"report_names": [
		"mintsloader-finger-protocol-hashtable-obfuscation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434621,
	"ts_updated_at": 1775826780,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3d486a648c557297dd3abd246d6af1d69a47b54e.pdf",
		"text": "https://archive.orkl.eu/3d486a648c557297dd3abd246d6af1d69a47b54e.txt",
		"img": "https://archive.orkl.eu/3d486a648c557297dd3abd246d6af1d69a47b54e.jpg"
	}
}