Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

MintsLoader Drops GhostWeaver via Phishing, ClickFix — Uses DGA, TLS for Stealth Attacks

The Hacker News by The Hacker News
May 2, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


May 02, 2025Ravie LakshmananMalware / Threat Intelligence

The malware loader known as MintsLoader has been used to deliver a PowerShell-based remote access trojan called GhostWeaver.

“MintsLoader operates through a multi-stage infection chain involving obfuscated JavaScript and PowerShell scripts,” Recorded Future’s Insikt Group said in a report shared with The Hacker News.

“The malware employs sandbox and virtual machine evasion techniques, a domain generation algorithm (DGA), and HTTP-based command-and-control (C2) communications.”

Phishing and drive-by download campaigns distributing MintsLoader have been detected in the wild since early 2023, per Orange Cyberdefense. The loader has been observed delivering various follow-on payloads like StealC and a modified version of the Berkeley Open Infrastructure for Network Computing (BOINC) client.

Cybersecurity

The malware has also been put to use by threat actors operating e-crime services like SocGholish (aka FakeUpdates) and LandUpdate808 (aka TAG-124), distributing via phishing emails targeting the industrial, legal, and energy sectors and fake browser update prompts.

MintsLoader Drops GhostWeaver via Phishing, ClickFix

In a notable twist, recent attack waves have employed the increasingly prevalent social engineering tactic called ClickFix to trick site visitors into copying and executing malicious JavaScript and PowerShell code. The links to ClickFix pages are distributed via spam emails.

“Although MintsLoader functions solely as a loader without supplementary capabilities, its primary strengths lie in its sandbox and virtual machine evasion techniques and a DGA implementation that derives the C2 domain based on the day it is run,” Recorded Future said.

Uses DGA, TLS for Stealth Attacks

These features, coupled with obfuscation techniques, enable threat actors to hinder analysis and complicate detection efforts. The primary responsibility of the malware is to download the next-stage payload from a DGA domain over HTTP by means of a PowerShell script.

GhostWeaver, according to a report from TRAC Labs earlier this February, is designed to maintain persistent communication with its C2 server, generate DGA domains based on a fixed-seed algorithm based on the week number and year, and deliver additional payloads in the form of plugins that can steal browser data and manipulate HTML content.

Cybersecurity

“Notably, GhostWeaver can deploy MintsLoader as an additional payload via its sendPlugin command. Communication between GhostWeaver and its command-and-control (C2) server is secured through TLS encryption using an obfuscated, self-signed X.509 certificate embedded directly within the PowerShell script, which is leveraged for client-side authentication to the C2 infrastructure,” Recorded Future said.

The disclosure comes as Kroll revealed attempts made by threat actors to secure initial access through an ongoing campaign codenamed CLEARFAKE that leverages ClickFix to lure victims into running MSHTA commands that ultimately deploy the Lumma Stealer malware.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Inside the Battle Over OpenAI’s Corporate Restructuring

Inside the Battle Over OpenAI’s Corporate Restructuring

Recommended.

EchoStar Corporation Announces Conference Call for Fourth Quarter and Full Year 2024 Financial Results

EchoStar Corporation Announces Conference Call for Fourth Quarter and Full Year 2024 Financial Results

February 22, 2025
Stocks making the biggest moves after hours: Meta Platforms, Microsoft, Tesla and more

Stocks making the biggest moves after hours: Meta Platforms, Microsoft, Tesla and more

January 29, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio