MintsLoader: StealC and BOINC Delivery

www.esentire.com · eSentire Threat Response Unit (TRU) · 1 year ago · tool
quality 7/10 · good
0 net
Tags
stealc boinc delivery
Entities
CVE-2025-53521
MintsLoader: StealC and BOINC Delivery | eSentire Get Started What We Do How We Do It Resources Company Partners Get Started What we do How we do it Resources Company Partners Get Started Back What We Do AI-DRIVEN SECURITY OPERATIONS Atlas Security Operations Platform Task-specific Atlas Agents investigate threats at machine speed with full transparency, expert validation, and explainable outcomes you can trust. Atlas Extended Detection and Response Open XDR with Agentic AI & machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats. Atlas User Experience See what our SOC sees, review investigations, and see how we are protecting your business. Atlas Platform Integrations Seamless integrations and threat investigation that adapts to your tools and evolves with your business. EXPERT-VALIDATED DEFENSE Security Operations Center (SOC) 24/7 SOC-as-a-Service with unlimited threat hunting and incident handling. Threat Response Unit (TRU) Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans. Cyber Resilience Team Extend your team capabilities and prevent business disruption with expertise from eSentire. Response and Remediation We balance automated blocks with rapid human-led investigations to manage threats. ESENTIRE SERVICES Managed Detection and Response Combine AI-driven security operations, multi-signal attack surface coverage and 24/7 Elite Threat Hunters to help you take your security program to the next level. All-in-One eSentire MDR MDR for Microsoft Digital Forensics and Incident Response Get unlimited Incident Response with threat suppression guarantee - anytime, anywhere. Continuous Threat Exposure Management (CTEM) CTEM and advisory programs that identify security gaps and build proactive strategies to address them. Back How We Do It MDR Packages and 24/7 Protection MDR Pricing and Packages Flexible MDR pricing and packages that fit your unique security requirements. Atlas Essentials Entry level foundational MDR coverage Atlas Advanced Comprehensive Next Level eSentire MDR Atlas Complete Next Level eSentire MDR with Cyber Risk Advisors to continuously advance your security program Explore MDR Packages → Build Your MDR Package → 24/7 Coverage Endpoint Network Log Cloud Identity INDUSTRIES Insurance Construction Finance Legal Manufacturing Private Equity Healthcare Retail Food Supply Government and Education Automotive Dealerships USE CASES Ransomware Stop ransomware before it spreads. Identity Response Stop identity-based cyberattacks. Zero Day Attacks Detect and respond to zero-day exploits. Cybersecurity Compliance Meet regulatory compliance mandates. Third-Party Risk Defend third-party and supply chain risk. Cloud Misconfiguration End misconfigurations and policy violations. Cyber Risk Adopt a risk-based security approach. Mid-Market Security Mid-market security essentials to prioritize. Sensitive Data Security Protect your most sensitive data. Cyber Insurance Meet insurability requirements with MDR. Cyber Threat Intelligence Operationalize cyber threat intelligence. Security Leadership Build a proven security program. Back Resources Resources Resource Library Video Library Case Studies Compare MDR Vendors TRU Intelligence Center Monthly Threat Intelligence Briefings Cybersecurity Tools Cybersecurity Glossary Real vs. Fake MDR Blogs Security Advisories SECURITY ADVISORIES Mar 31, 2026 Axios npm Packages Compromised On March 31st, 2026, threat actors compromised the Axios npm (Node Package Manager) package, publishing two malicious versions, 1.14.1 and 0.30.4, to the npm registry. This supply chain… Read More Mar 30, 2026 F5 BIG-IP APM Flaw CVE-2025-53521 Exploited in the Wild On March 27th, 2026, F5 confirmed exploitation of a previously known vulnerability in its BIG-IP Access Policy Manager (APM) versions. The flaw, tracked as CVE-2025-53521 (CVSS: 9.3),… Read More View Advisories From The Blog Apr 08, 2026 STX RAT: A new RAT in 2026 with Infostealer Capabilities Read More Apr 07, 2026 Examining the Blast Radius from the Axios npm Supply Chain Compromise Read More Apr 01, 2026 Tycoon 2FA Infrastructure Update: Threat Actors Adapt Following Global… Read More VIEW ARTICLES Back Company ABOUT ESENTIRE eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. About Us Leadership Careers Event Calendar → Newsroom → Aston Villa Football Club → EVENT CALENDAR Apr 14 April TRU Intelligence Briefing Apr 15 Philadelphia Cybersecurity Summit Apr 23 Aston Villa CISO Round Table May 07 Seattle FutureCon May 12 May TRU Intelligence Briefing View Calendar → LATEST PRESS RELEASE Mar 19, 2026 eSentire Appoints Cybersecurity Industry Veteran James C. Foster as Chief Executive Officer Read More View Newsroom → OUR PARTNERSHIPS Aston Villa Football Club AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner. Learn More Back Partners PARTNER PROGRAM We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today. LEARN MORE → Apply to become an e3 ecosystem partner with eSentire today. APPLY NOW → Sign in to the Partner Portal to access exclusive resources, campaigns, training, sales tools, and support. LOGIN NOW → Back Search Search our site Quick Links ALL-IN-ONE ESENTIRE MDR → Multi-Signal MDR with 300+ technology integrations to support your existing investments. 24/7 SOC SUPPORT → 24/7 SOC-as-a-Service with unlimited threat hunting and incident handling. MDR PRICING AND PACKAGES → We offer three flexible MDR pricing packages that can be customized to your unique needs. TRU INTELLIGENCE CENTER → The latest security advisories, blogs, reports, industry publications and webinars published by TRU. MDR VENDOR COMPARISONS → Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition. MDR CASE STUDIES → See why 2000+ organizations globally have chosen eSentire for their MDR Solution. Back Get Started Get Started Build A Quote Become A Partner Breached? Call Us Now Home Resources Blog MintsLoader: StealC and BOINC Delivery Threat Response Unit MintsLoader: StealC and BOINC Delivery Threat Intelligence Threat Response Unit TRU Positive/Bulletin eSentire Threat Response Unit (TRU) January 16, 2025 10 MINS READ Share this article BlogBody__Content wrappers as needed --> Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes. We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware. Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team. In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward. Here’s the latest from our TRU Team… What did we find? In early January 2025, the eSentire Threat Response Unit (TRU) identified an ongoing campaign involving MintsLoader delivering second stage payloads like Stealc and the Berkeley Open Infrastructure for Network Computing (BOINC) client. MintsLoader is a PowerShell based malware loader that has been seen delivered via spam emails with a link to Kongtuke/ClickFix pages or a JScript file. MintsLoader features a Domain Generation Algorithm (DGA) with a seed value based on the addition of the current day of the month and a constant, combined with anti-VM techniques to evade sandboxes and malware researchers. Impacted organizations in the United States and Europe include the Electricity, Oil & Gas and Law Firms & Legal Services industries.  The MintsLoader infection process begins when the victim clicks a link in a spam email which downloads a JScript file matching the regex pattern, “Fattura[0-9]{8}.js”. Figure 1 – JScript download The contents of the script can be seen in the following figure. Figure 2 – JScript obfuscated contents The contents of the deobfuscated JScript can be seen below. First a sleep occurs for 13 seconds, then a WScript.Shell object is instantiated, and the Run method is called to execute the first MintsLoader associated command in PowerShell. This command uses the curl command to retrieve the first stage of MintsLoader. Before the script exits, it deletes itself, likely as a measure to make it more difficult for responders to acquire the file for analysis. It is worth noting that the format of the PowerShell command is identical in cases where MintsLoader is instead delivered via ClickFix/KongTuke, however it is executed in a Run prompt instead of via WScript. Figure 3 - Deobfuscated JScript contents The response from the MintsLoader C2 is obfuscated and is more PowerShell that uses Invoke-Expression (iex) again to execute the next stage. Figure 4 – Obfuscated first stage The next stage of PowerShell is obfuscated as well and begins with decoding each line as an array of integers to their equivalent ASCII values. Figure 5 – Obfuscated next stage The beginning of the deobfuscated script checks if the victim machine is a virtual machine via the WMI object Get-MpComputerStatus cmdlet property IsVirtualMachine . Also shown in the figure below, the variable “$key” stores a value that is used throughout the script and later is sent to the C2. Figure 6 – Check if virtual machine via Get-MpComputerStatus Next the cmdlet Win32_VideoController is queried and the object AdapterDACType is matched against the following strings. The first statement in the switch statement aims to identify a system that is likely not a virtual machine by checking for the presence of the strings “Internal” or “Integrated”. The remaining strings that are checked are as follows and serve to identify the machine as a VM and specifically target VMWare and KVM/QEMU/Bochs based hypervisors. VMware Bochs Intel SeaBIOS Figure 7 – Check if virtual machine via Win32_VideoController object AdapterDACType Next, two constants are added to the $key variable and the WMI cmdlet Win32_CacheMemory is queried, acquiring the first object’s purpose property and comparing it in a switch statement. The first two conditions in the switch statement check if the property equals L1 or is less than 4 characters, which aims to identify virtual machines. The final check aims to identify if a system is likely a physical machine. Figure 8 – Check if virtual machine via Win32_CacheMemory MintsLoader then makes use of a DGA that uses a seed value consisting of the current day of the month plus a constant in a loop. The loop is iterated 15 times over and the System.Random object and Next method are utilized as indexes into the character array “ abcdefghijklmn” . Finally, the resulting C2 domain is appended with the TLD of the C2 server (.top). Figure 9 – DGA generate C2 server for the day A string containing part of the URI path is then built from a random ascii-numeric character array with a length of 10 characters using the Get-Random cmdlet. This is used as part of the full C2 URI path. The query parameters are built first by getting the computer name via the environment variable ComputerName which is used as the value for the id query parameter, the aforementioned $key variable is used as the value for the key query parameter, and the s query parameter contains a hard-coded number, e.g. 527. The curl command is used again to invoke the request to the C2 and the response from the C2 is invoked again via iex. Figure 10 – Send request to C2 and invoke response The following is a list of all the possible DGA generated domains identified in this campaign. Figure 11 – Known DGA domains The final PowerShell stage is also obfuscated and decodes more integers to ASCII. When deobfuscated, a poorly written and known Anti-Malware Scan Interface (AMSI) bypass technique fails to run due to improper de-obfuscation. A web request is then invoked to download the payload from temp[.]sh, a file hosting site that is a clone of Pomf[.]se. The response is written to the temp directory and is executed. Though the file hosting site is no longer serving the file, the SHA-256 of the file is available for download in VirusTotal. This file is a packed sample of the information stealing malware StealC. Figure 12 – Final stage, download/execute StealC StealC is an information stealer advertised by its developer “Plymouth” on Russian-speaking underground forums and has been sold as a Malware-as-a-Service since January 2023. Re-engineered from the information stealer Arkei first seen in 2018, StealC targets sensitive data stored by web browsers, extensions, applications, crypto-wallets, and email clients, including financial data, passwords, and tokens. Several legitimate DLLs, e.g. sqlite3.dll, nss3.dll, mozglue.dll, softokn3.dll, and others are downloaded and utilized as part of this process. Harvested data is exfiltrated to its command and control (C2) server using HTTP POST requests. The admin panel for StealC can be seen in the figure below, which provides threat actors with a variety of features, such as a query builder for sorting through stolen logs. Figure 13 – StealC operator panel from sales thread on exploit[.]in (Feb 2023) StealC makes use of XOR encrypted strings to hide from static analysis. The routine that handles decryption of the strings is one of the first behaviors by StealC, the resulting decrypted strings are stored as DWORD pointers. Figure 14 – StealC string decryption For this particular sample (138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa) we identified the following C2 URL and Botnet ID in the strings: Figure 15 – StealC C2 and Botnet ID After string decryption and resolving APIs there are several anti-debug/anti-analysis subroutines. For example, the C code included below checks if the username of the current user is “JohnDoe”. If so, the malware exits. Figure 16 – StealC username check for JohnDoe StealC contains a check to ensure the malware doesn’t run on any systems that have the default language ID associated with Russia, Ukraine, Belarus, Kazakhstan, or Uzbekistan. If any of these languages match, the malware exits. Figure 17 – StealC check for banned countries The count of processor cores is checked, if the system only has a single core, the malware exits. Figure 18 – StealC processors check The total memory of the system is retrieved, if less than 1111 MB, the malware exits. Figure 19 – StealC memory check The vertical height of the system's resolution is checked, if less than 666, the malware exits. Figure 20 – StealC resolution check Prior to communicating with C2, a hardware ID (HWID) is generated. This HWID is generated based on the C:\ drive volume serial number and is unlikely to change so it is likely checked by threat actors to filter stolen logs in the backend or as a measure to deny access to known sandboxes. The python script here can be used to generate the HWID and decode an existing HWID if one is identified in incidents where HTTP traffic has been captured. Figure 21 – StealC HWID generation via Volume Serial The following figure displays the initial HTTP POST request to the script gate where “” represents the generated HWID. Though the C2 is no longer online, the response would contain a base64 encoded configuration. Subsequent HTTP POST requests follow a similar format and are used for exfiltration of harvested files, credentials, and other sensitive information. HTTP GET requests are used for retrieving needed third party libraries, such as sqlite3.dll. Figure 22 – StealC Initial C2 request What did we do? Our team of 24/7 SOC Cyber Analysts proactively isolated the affected host to contain the infection on the customer’s behalf. We communicated what happened with the customer and helped them with remediation efforts. What can you learn from this TRU Positive? The MintsLoader campaign is an evasive threat found targeting organizations in the United States/Europe, is primarily distributed via spam emails containing a link to a JScript file or via ClickFix/KongTuke, and when paired with information stealers like StealC, becomes an even more capable threat to the confidentiality and integrity of sensitive data. Recommendations from the Threat Response Unit (TRU): Disable the Run prompt via GPO: User Configuration > Administrative Templates > Start Menu and Taskbar > Enable “Remove Run menu from Start Menu” Disable wscript.exe via AppLocker GPO or Windows Defender Application Control (WDAC): C:\Windows\System32\WScript.exe C:\Windows\Syswow64\WScript.exe *:\Windows\System32\WScript.exe (* represents wildcard to include other drive letter rather than C drive) *:\Windows\SysWOW64\WScript.exe (* represents wildcard to include other drive letter rather than C drive) Disable mshta.exe via AppLocker GPO or Windows Defender Application Control (WDAC) C:\Windows\System32\mshta.exe C:\Windows\Syswow64\mshta.exe *:\Windows\System32\mshta.exe (* represents wildcard to include other drive letter rather than C drive) *:\Windows\SysWOW64\mshta.exe (* represents wildcard to include other drive letter rather than C drive) Employ email filtering and protection measures. Use a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) solution to detect and contain threats. Implement a Phishing and Security Awareness Training (PSAT) program that educates and informs your employees. Indicators of Compromise You can access the Indicators of Compromise here . References https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software https://www.forcepoint.com/blog/x-labs/malicious-javascript-code-sent-via-pec-email-italy https://levelblue.com/blogs/labs-research/asyncrat-loader-obfuscation-dgas-decoys-and-govno https://x.com/CERTCyberdef/status/1849392561024065779 To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level MDR, connect with an eSentire Security Specialist now. GET STARTED ABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU) The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats. Back to blog Take Your Cybersecurity Program to the Next Level with eSentire MDR. BUILD A QUOTE in this blog View More... Read Similar Blogs EXPLORE MORE BLOGS Blog STX RAT: A new RAT in 2026 with Infostealer Capabilities Learn More Blog Examining the Blast Radius from the Axios npm Supply Chain Compromise Learn More Blog Tycoon 2FA Infrastructure Update: Threat Actors Adapt Following Global… Learn More Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more. Accept ARE YOU EXPERIENCING A SECURITY INCIDENT OR HAVE YOU BEEN BREACHED? Call 1-866-579-2200 The Proven Choice for Managed Detection and Response GET STARTED → PARTNER LOGIN → Sales and Customer Support NORTH AMERICA 1-866-579-2200 EMEA (0)8000-443242 ANZ/APAC 1-519-651-2200 What we do How we do it Industries Use Cases Resources Tools Company 2026 eSentire, Inc. All Rights Reserved.
← Back to stories