{ "id": "39050ddb-dde5-4cb0-bc16-4cb97b432624", "created_at": "2026-04-06T00:08:54.80447Z", "updated_at": "2026-04-10T03:35:21.393109Z", "deleted_at": null, "sha1_hash": "9ac4f7ed4ed746c6ade2c92f5cfac199eb197b32", "title": "MintsLoader: StealC and BOINC Delivery", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1407931, "plain_text": "MintsLoader: StealC and BOINC Delivery\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 18:38:55 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nWhat did we find?\r\nIn early January 2025, the eSentire Threat Response Unit (TRU) identified an ongoing campaign involving\r\nMintsLoader delivering second stage payloads like Stealc and the Berkeley Open Infrastructure for Network\r\nComputing (BOINC) client. MintsLoader is a PowerShell based malware loader that has been seen delivered via\r\nspam emails with a link to Kongtuke/ClickFix pages or a JScript file. MintsLoader features a Domain Generation\r\nAlgorithm (DGA) with a seed value based on the addition of the current day of the month and a constant,\r\ncombined with anti-VM techniques to evade sandboxes and malware researchers. Impacted organizations in the\r\nUnited States and Europe include the Electricity, Oil \u0026 Gas and Law Firms \u0026 Legal Services industries. \r\nThe MintsLoader infection process begins when the victim clicks a link in a spam email which downloads a\r\nJScript file matching the regex pattern, “Fattura[0-9]{8}.js”.\r\nFigure 1 – JScript download\r\nThe contents of the script can be seen in the following figure.\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 1 of 12\n\nFigure 2 – JScript obfuscated contents\r\nThe contents of the deobfuscated JScript can be seen below. First a sleep occurs for 13 seconds, then a\r\nWScript.Shell object is instantiated, and the Run method is called to execute the first MintsLoader associated\r\ncommand in PowerShell. This command uses the curl command to retrieve the first stage of MintsLoader. Before\r\nthe script exits, it deletes itself, likely as a measure to make it more difficult for responders to acquire the file for\r\nanalysis. It is worth noting that the format of the PowerShell command is identical in cases where MintsLoader is\r\ninstead delivered via ClickFix/KongTuke, however it is executed in a Run prompt instead of via WScript.\r\nFigure 3 - Deobfuscated JScript contents\r\nThe response from the MintsLoader C2 is obfuscated and is more PowerShell that uses Invoke-Expression (iex)\r\nagain to execute the next stage.\r\nFigure 4 – Obfuscated first stage\r\nThe next stage of PowerShell is obfuscated as well and begins with decoding each line as an array of integers to\r\ntheir equivalent ASCII values.\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 2 of 12\n\nFigure 5 – Obfuscated next stage\r\nThe beginning of the deobfuscated script checks if the victim machine is a virtual machine via the WMI object\r\nGet-MpComputerStatus cmdlet property IsVirtualMachine. Also shown in the figure below, the variable “$key”\r\nstores a value that is used throughout the script and later is sent to the C2.\r\nFigure 6 – Check if virtual machine via Get-MpComputerStatus\r\nNext the cmdlet Win32_VideoController is queried and the object AdapterDACType is matched against the\r\nfollowing strings. The first statement in the switch statement aims to identify a system that is likely not a virtual\r\nmachine by checking for the presence of the strings “Internal” or “Integrated”. The remaining strings that are\r\nchecked are as follows and serve to identify the machine as a VM and specifically target VMWare and\r\nKVM/QEMU/Bochs based hypervisors.\r\nVMware\r\nBochs\r\nIntel\r\nSeaBIOS\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 3 of 12\n\nFigure 7 – Check if virtual machine via Win32_VideoController object AdapterDACType\r\nNext, two constants are added to the $key variable and the WMI cmdlet Win32_CacheMemory is queried,\r\nacquiring the first object’s purpose property and comparing it in a switch statement. The first two conditions in the\r\nswitch statement check if the property equals L1 or is less than 4 characters, which aims to identify virtual\r\nmachines. The final check aims to identify if a system is likely a physical machine.\r\nFigure 8 – Check if virtual machine via Win32_CacheMemory\r\nMintsLoader then makes use of a DGA that uses a seed value consisting of the current day of the month plus a\r\nconstant in a loop. The loop is iterated 15 times over and the System.Random object and Next method are utilized\r\nas indexes into the character array “abcdefghijklmn”. Finally, the resulting C2 domain is appended with the TLD\r\nof the C2 server (.top).\r\nFigure 9 – DGA generate C2 server for the day\r\nA string containing part of the URI path is then built from a random ascii-numeric character array with a length of\r\n10 characters using the Get-Random cmdlet. This is used as part of the full C2 URI path. The query parameters\r\nare built first by getting the computer name via the environment variable ComputerName which is used as the\r\nvalue for the id query parameter, the aforementioned $key variable is used as the value for the key query\r\nparameter, and the s query parameter contains a hard-coded number, e.g. 527. The curl command is used again to\r\ninvoke the request to the C2 and the response from the C2 is invoked again via iex.\r\nFigure 10 – Send request to C2 and invoke response\r\nThe following is a list of all the possible DGA generated domains identified in this campaign.\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 4 of 12\n\nFigure 11 – Known DGA domains\r\nThe final PowerShell stage is also obfuscated and decodes more integers to ASCII. When deobfuscated, a poorly\r\nwritten and known Anti-Malware Scan Interface (AMSI) bypass technique fails to run due to improper de-obfuscation. A web request is then invoked to download the payload from temp[.]sh, a file hosting site that is a\r\nclone of Pomf[.]se. The response is written to the temp directory and is executed. Though the file hosting site is no\r\nlonger serving the file, the SHA-256 of the file is available for download in VirusTotal. This file is a packed\r\nsample of the information stealing malware StealC.\r\nFigure 12 – Final stage, download/execute StealC\r\nStealC is an information stealer advertised by its developer “Plymouth” on Russian-speaking underground forums\r\nand has been sold as a Malware-as-a-Service since January 2023. Re-engineered from the information stealer\r\nArkei first seen in 2018, StealC targets sensitive data stored by web browsers, extensions, applications, crypto-https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 5 of 12\n\nwallets, and email clients, including financial data, passwords, and tokens. Several legitimate DLLs, e.g.\r\nsqlite3.dll, nss3.dll, mozglue.dll, softokn3.dll, and others are downloaded and utilized as part of this process.\r\nHarvested data is exfiltrated to its command and control (C2) server using HTTP POST requests.\r\nThe admin panel for StealC can be seen in the figure below, which provides threat actors with a variety of\r\nfeatures, such as a query builder for sorting through stolen logs.\r\nFigure 13 – StealC operator panel from sales thread on exploit[.]in (Feb 2023)\r\nStealC makes use of XOR encrypted strings to hide from static analysis. The routine that handles decryption of the\r\nstrings is one of the first behaviors by StealC, the resulting decrypted strings are stored as DWORD pointers.\r\nFigure 14 – StealC string decryption\r\nFor this particular sample (138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa) we\r\nidentified the following C2 URL and Botnet ID in the strings:\r\nFigure 15 – StealC C2 and Botnet ID\r\nAfter string decryption and resolving APIs there are several anti-debug/anti-analysis subroutines. For example, the\r\nC code included below checks if the username of the current user is “JohnDoe”. If so, the malware exits.\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 6 of 12\n\nFigure 16 – StealC username check for JohnDoe\r\nStealC contains a check to ensure the malware doesn’t run on any systems that have the default language ID\r\nassociated with Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan. If any of these languages match, the\r\nmalware exits.\r\nFigure 17 – StealC check for banned countries\r\nThe count of processor cores is checked, if the system only has a single core, the malware exits.\r\nFigure 18 – StealC processors check\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 7 of 12\n\nThe total memory of the system is retrieved, if less than 1111 MB, the malware exits.\r\nFigure 19 – StealC memory check\r\nThe vertical height of the system's resolution is checked, if less than 666, the malware exits.\r\nFigure 20 – StealC resolution check\r\nPrior to communicating with C2, a hardware ID (HWID) is generated. This HWID is generated based on the C:\\\r\ndrive volume serial number and is unlikely to change so it is likely checked by threat actors to filter stolen logs in\r\nthe backend or as a measure to deny access to known sandboxes. The python script here can be used to generate\r\nthe HWID and decode an existing HWID if one is identified in incidents where HTTP traffic has been captured.\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 8 of 12\n\nFigure 21 – StealC HWID generation via Volume Serial\r\nThe following figure displays the initial HTTP POST request to the script gate where “\u003cHWID\u003e” represents the\r\ngenerated HWID. Though the C2 is no longer online, the response would contain a base64 encoded configuration.\r\nSubsequent HTTP POST requests follow a similar format and are used for exfiltration of harvested files,\r\ncredentials, and other sensitive information. HTTP GET requests are used for retrieving needed third party\r\nlibraries, such as sqlite3.dll.\r\nFigure 22 – StealC Initial C2 request\r\nWhat did we do?\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 9 of 12\n\nOur team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the\r\ncustomer’s behalf.\r\nWe communicated what happened with the customer and helped them with remediation efforts.\r\nWhat can you learn from this TRU Positive?\r\nThe MintsLoader campaign is an evasive threat found targeting organizations in the United States/Europe,\r\nis primarily distributed via spam emails containing a link to a JScript file or via ClickFix/KongTuke, and\r\nwhen paired with information stealers like StealC, becomes an even more capable threat to the\r\nconfidentiality and integrity of sensitive data.\r\nRecommendations from the Threat Response Unit (TRU):\r\nDisable the Run prompt via GPO:\r\nUser Configuration \u003e Administrative Templates \u003e Start Menu and Taskbar \u003e Enable “Remove Run\r\nmenu from Start Menu”\r\nDisable wscript.exe via AppLocker GPO or Windows Defender Application Control (WDAC):\r\nC:\\Windows\\System32\\WScript.exe\r\nC:\\Windows\\Syswow64\\WScript.exe\r\n*:\\Windows\\System32\\WScript.exe (* represents wildcard to include other drive letter rather than C\r\ndrive)\r\n*:\\Windows\\SysWOW64\\WScript.exe (* represents wildcard to include other drive letter rather\r\nthan C drive)\r\nDisable mshta.exe via AppLocker GPO or Windows Defender Application Control (WDAC)\r\nC:\\Windows\\System32\\mshta.exe\r\nC:\\Windows\\Syswow64\\mshta.exe\r\n*:\\Windows\\System32\\mshta.exe (* represents wildcard to include other drive letter rather than C\r\ndrive)\r\n*:\\Windows\\SysWOW64\\mshta.exe (* represents wildcard to include other drive letter rather than\r\nC drive)\r\nEmploy email filtering and protection measures.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain\r\nthreats.\r\nImplement a Phishing and Security Awareness Training (PSAT) program that educates and informs your\r\nemployees.\r\nIndicators of Compromise\r\nYou can access the Indicators of Compromise here.\r\nReferences\r\nhttps://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nhttps://www.forcepoint.com/blog/x-labs/malicious-javascript-code-sent-via-pec-email-italy\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 10 of 12\n\nhttps://levelblue.com/blogs/labs-research/asyncrat-loader-obfuscation-dgas-decoys-and-govno\r\nhttps://x.com/CERTCyberdef/status/1849392561024065779\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 11 of 12\n\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nSource: https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nhttps://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery" ], "report_names": [ "mintsloader-stealc-and-boinc-delivery" ], "threat_actors": [ { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434134, "ts_updated_at": 1775792121, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ac4f7ed4ed746c6ade2c92f5cfac199eb197b32.pdf", "text": "https://archive.orkl.eu/9ac4f7ed4ed746c6ade2c92f5cfac199eb197b32.txt", "img": "https://archive.orkl.eu/9ac4f7ed4ed746c6ade2c92f5cfac199eb197b32.jpg" } }