{
	"id": "74373d4a-d724-43bd-9ffa-8a2d89b3cdea",
	"created_at": "2026-04-06T00:19:00.774195Z",
	"updated_at": "2026-04-10T03:23:51.088951Z",
	"deleted_at": null,
	"sha1_hash": "fcba5cf64487525a5784eede7df9ff0fe9a894e3",
	"title": "GitHub - cert-orangecyberdefense/mintsloader: MintsLoader IOCs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32902,
	"plain_text": "GitHub - cert-orangecyberdefense/mintsloader: MintsLoader IOCs\r\nBy cert-orangecyberdefense\r\nArchived: 2026-04-02 11:46:17 UTC\r\nMintsLoader is a little-known, multi-stage malware loader that has been used since at least February 2023. We\r\ndetected this loader in widespread distribution campaigns between July and October 2024. The name comes from\r\na very characteristic use of an URL parameter “1.php?s=mintsXX\" (with XX being numbers). Other campaigns\r\nused \"s=boicn\" pattern, as mentioned here: https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software\r\nMintsLoader primarily delivers malicious RAT or infostealing payloads such as AsyncRAT and Vidar through\r\nphishing emails, targeting organizations in Europe (Spain, Italy, Poland, etc.). Written in JavaScript and\r\nPowerShell, MintsLoader operates through a multi-step infection process involving several URLs and domains,\r\nmost of which use a domain generation algorithm (DGA) with .top TLD.\r\nAdditional information on this threat is available for our World Watch customers in our dedicated advisory from\r\nAugust 10 here: https://portal.cert.orangecyberdefense.com/worldwatch/advisory/1837 and here:\r\nhttps://portal.orangecyberdefense.com/updates/worldwatch/viewSignal/1837.\r\nIOCs and Yara rules are available in this repository.\r\nSource: https://github.com/cert-orangecyberdefense/mintsloader\r\nhttps://github.com/cert-orangecyberdefense/mintsloader\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/cert-orangecyberdefense/mintsloader"
	],
	"report_names": [
		"mintsloader"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434740,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fcba5cf64487525a5784eede7df9ff0fe9a894e3.pdf",
		"text": "https://archive.orkl.eu/fcba5cf64487525a5784eede7df9ff0fe9a894e3.txt",
		"img": "https://archive.orkl.eu/fcba5cf64487525a5784eede7df9ff0fe9a894e3.jpg"
	}
}