Cybersecurity experts have uncovered a dangerous malware campaign using the loader MintsLoader to deliver a remote access trojan (RAT) known as GhostWeaver. These attacks use phishing emails and a social engineering technique called ClickFix to distribute malicious JavaScript and PowerShell scripts.
How MintsLoader Works
According to Recorded Future's Insikt Group, MintsLoader follows a multi-stage infection chain that starts with obfuscated JavaScript, followed by PowerShell scripts. The malware is equipped with:
- Sandbox and virtual machine evasion techniques
- Domain Generation Algorithm (DGA) for C2 communication
- HTTP and TLS protocols for stealth and persistence
Detected in the wild since early 2023, MintsLoader has been spread via phishing emails and drive-by download attacks. It has deployed other payloads such as StealC and a modified version of BOINC.
Linked to Known Threat Actors
Threat groups like SocGholish (FakeUpdates) and LandUpdate808 (TAG-124) have been seen using MintsLoader in targeted attacks aimed at sectors like industrial, legal, and energy. Delivery mechanisms include fake browser update pages and deceptive phishing messages.
ClickFix Social Engineering Trick
Recent campaigns introduced a method called ClickFix, tricking users into executing code by copying it into the browser console. These malicious instructions are often shared via spam emails disguised as legitimate alerts or updates.
Although MintsLoader is just a loader without additional functionality, it’s highly effective due to its DGA-based domain generation and sandbox evasion, which make analysis and blocking significantly harder.
GhostWeaver: Modular and Persistent RAT
Originally reported by TRAC Labs in February 2025, GhostWeaver communicates with its command-and-control (C2) server using TLS encryption and a self-signed X.509 certificate embedded in PowerShell. Its key capabilities include:
- Persistent C2 communication
- DGA-based domain generation by week/year
- Modular plugin delivery to steal browser data and modify HTML content
- Ability to redeploy MintsLoader via command
Related Threat: CLEARFAKE Deploying Lumma Stealer
The report aligns with Kroll's findings on the CLEARFAKE campaign, which uses ClickFix and MSHTA commands to deliver the Lumma Stealer. It highlights a growing trend of advanced social engineering and script-based malware distribution.
How to Protect Yourself
To mitigate risks from these types of threats, organizations should:
- Block scripting in browsers and emails where possible
- Deploy modern endpoint detection and response (EDR) tools
- Train staff to recognize ClickFix-style prompts and phishing emails
- Regularly update threat intel feeds and blacklist known DGA domains
The increasing use of malware loaders like MintsLoader, combined with advanced social engineering techniques like ClickFix, underlines the need for proactive cybersecurity strategies. Organizations must remain vigilant as cybercriminals evolve their tactics to bypass traditional defenses.