MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks
Summary:
Mints Loader is a modular and evasive malware loader leveraged by cybercriminals and advanced persistent threat actors to deploy secondary payloads in highly targeted attacks. It supports a range of advanced capabilities, including payload encryption, anti-analysis and anti-virtualization techniques, and dynamic configuration loading. Mints Loader also employs Domain Generation Algorithms to dynamically produce a large number of domain names for its command-and-control (C2) servers, making it more difficult for defenders to block or track its communications. Additionally, it uses Transport Layer Security to encrypt traffic between infected hosts and C2 servers, further obfuscating its activity and evading detection.
Once executed, Mints Loader establishes communication with its C2 infrastructure to download and execute follow-on payloads tailored to the target environment. In recent campaigns, Mints Loader has been used to deploy Ghostweaver, a stealthy and highly evasive backdoor designed for long-term access and cyber espionage. After the initial compromise, Mints Loader deploys Ghostweaver to maintain persistence, exfiltrate data, and enable remote command execution while avoiding detection by endpoint and network defenses. Ghostweaver is also equipped for lateral movement, making it ideal for reconnaissance and further compromise within a network.
Security Officer Comments:
Mints Loader is commonly distributed through phishing emails, malicious documents, and compromised websites. In recent campaigns, its operators have employed a social engineering technique known as ClickFix to compromise unsuspecting users. This tactic involves crafting malicious websites that mimic legitimate software downloads or document-sharing platforms. Victims are typically directed to these sites through phishing emails or malvertising and are presented with fabricated error messages claiming that a document or download has failed. To resolve the issue, users are prompted to click a "Fix" button, which then instructs them to copy and execute PowerShell commands, unknowingly initiating the malware infection chain.
This approach effectively exploits the user’s trust and urgency to troubleshoot a problem, making the attack appear both plausible and urgent. The pairing of Mints Loader with payloads like Ghostweaver, delivered via tactics such as ClickFix, demonstrates a multi-layered intrusion strategy that combines advanced technical capabilities with targeted psychological manipulation.
Suggested Corrections:
Organizations should prioritize employee training to help users recognize phishing emails, deceptive error messages, and unsolicited troubleshooting prompts. Note: legitimate websites or service providers will never ask users to manually copy and execute PowerShell commands to resolve technical issues. Such requests are a strong indicator of malicious intent. In addition to awareness training, organizations should implement technical controls by restricting access to command-line tools like PowerShell, allowing usage only for system administrators or trusted IT personnel. This approach significantly reduces the attack surface by limiting the ability of malware to execute scripts, thereby mitigating the risk of infection from tactics like ClickFix.
Link(s):
https://thehackernews.com/2025/05/mintsloader-drops-ghostweaver-via.html
Mints Loader is a modular and evasive malware loader leveraged by cybercriminals and advanced persistent threat actors to deploy secondary payloads in highly targeted attacks. It supports a range of advanced capabilities, including payload encryption, anti-analysis and anti-virtualization techniques, and dynamic configuration loading. Mints Loader also employs Domain Generation Algorithms to dynamically produce a large number of domain names for its command-and-control (C2) servers, making it more difficult for defenders to block or track its communications. Additionally, it uses Transport Layer Security to encrypt traffic between infected hosts and C2 servers, further obfuscating its activity and evading detection.
Once executed, Mints Loader establishes communication with its C2 infrastructure to download and execute follow-on payloads tailored to the target environment. In recent campaigns, Mints Loader has been used to deploy Ghostweaver, a stealthy and highly evasive backdoor designed for long-term access and cyber espionage. After the initial compromise, Mints Loader deploys Ghostweaver to maintain persistence, exfiltrate data, and enable remote command execution while avoiding detection by endpoint and network defenses. Ghostweaver is also equipped for lateral movement, making it ideal for reconnaissance and further compromise within a network.
Security Officer Comments:
Mints Loader is commonly distributed through phishing emails, malicious documents, and compromised websites. In recent campaigns, its operators have employed a social engineering technique known as ClickFix to compromise unsuspecting users. This tactic involves crafting malicious websites that mimic legitimate software downloads or document-sharing platforms. Victims are typically directed to these sites through phishing emails or malvertising and are presented with fabricated error messages claiming that a document or download has failed. To resolve the issue, users are prompted to click a "Fix" button, which then instructs them to copy and execute PowerShell commands, unknowingly initiating the malware infection chain.
This approach effectively exploits the user’s trust and urgency to troubleshoot a problem, making the attack appear both plausible and urgent. The pairing of Mints Loader with payloads like Ghostweaver, delivered via tactics such as ClickFix, demonstrates a multi-layered intrusion strategy that combines advanced technical capabilities with targeted psychological manipulation.
Suggested Corrections:
Organizations should prioritize employee training to help users recognize phishing emails, deceptive error messages, and unsolicited troubleshooting prompts. Note: legitimate websites or service providers will never ask users to manually copy and execute PowerShell commands to resolve technical issues. Such requests are a strong indicator of malicious intent. In addition to awareness training, organizations should implement technical controls by restricting access to command-line tools like PowerShell, allowing usage only for system administrators or trusted IT personnel. This approach significantly reduces the attack surface by limiting the ability of malware to execute scripts, thereby mitigating the risk of infection from tactics like ClickFix.
Link(s):
https://thehackernews.com/2025/05/mintsloader-drops-ghostweaver-via.html