Malware Attack Campaign Utilizes MintsLoader to Distribute StealC Information Stealer
By Ravie Lakshmanan, January 27, 2025
Threat hunters have detailed an ongoing campaign that leverages a malware loader called MintsLoader to distribute secondary payloads such as the StealC information stealer and a legitimate open-source network exploit. The attackers are using compromised WordPress sites to host a realistic-looking message board that downloads a file containing what the victims are purportedly looking for.
Sophos Reveals "Mothership" Server
The malware operators have been found to make changes to the WordPress sites that cause those sites to dynamically load the fake forum page content from another server, referred to as the "mothership" by Sophos. This allows the attackers to obfuscate their malicious activities and make it difficult for the site owners to identify the modifications in their own site or trigger the GootLoader code to run when they visit their own pages.
GootLoader Campaigns: Geofencing and Blocklisting
GootLoader campaigns, besides geofencing IP address ranges and allowing requests to originate from specific countries of interest, go further by permitting the potential victim to visit the infected site only once in 24 hours by adding the IP to a block list. This adds an extra layer of complexity to the attack, making it even more difficult for the victims to detect and respond to the malware.
Expert Insights
"Every aspect of this process is obfuscated to such a degree that even the owners of the compromised WordPress pages often cannot identify the modifications in their own site or trigger the GootLoader code to run when they visit their own pages," security researcher Gabor Szappanos said.
Stay Informed
If you found this article interesting, follow us on Twitter and LinkedIn to read more exclusive content we post.
