cert-orangecyberdefense-cti/mintsloader/2025-07-04-IoCs.md

🧀 Update on MintsLoader: a thread 🔽
MintsLoader is a JavaScript/PowerShell loader that was first detailed by OCD in 2024.
A new version has been around at least since early-June 2025.

Historically, new MintsLoader JS samples were easy to find because the obfuscation strings consistently used text from the book Andrew Melville by William Morison. The associated infrastructure could be tracked thanks to specific patterns and campaign IDs in the C2 URLs.

These detection opportunities were presented during the Botconf 2025. The new version has removed these notable behaviours and is seen in campaign with fake invoices lures. New indicators of compromise (IoCs) are available on our GitHub.

SHA256	C2 URL
19884c1fc4f67bf08fb083b6d8e932ac65f089a34359d382dd85034ece232fa5	hxxp://brettesxes.com/1.php?s=flibabc12
1c0a4da627018b16b8026906f8e94429414e18ddf8a39ddeaf3657a8a435f98b	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
364042bef303798f5bda6731986f0899249a8e365c167e642e9d2d972e9ab39f	hxxp://brettesxes.com/1.php?s=flibabc12
3ba55562cedae4ba63f6524ef67db3e7f8408cb8bc246ec104b8b9b773cc0103	hxxp://brettesxes.com/1.php?s=flibabc12
6a55395c382af0e51a787b6a6fd6d7a09acbd5910e6db24ef076bfc01135d28c	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
6d35e40419f52ac0e3603a05f7285a88b1a6bcb0ec83326d55407b33dd064c57	hxxp://brettesxes.com/1.php?s=flibabc12
6d851e332bc4f3c09b0a6088e607c31c0d8abf2e420605fb5365eca637946d77	hxxp://hisatophjrok12.top/1.php?s=flibabc11
7c912ad736527c4424f7d54548084c3e8f3c77ac05ff3d2804ea83af1227217d	hxxp://brettesxes.com/1.php?s=flibabc12
80915f47e95dbcb8e39b7b321cd495ee7e29ab1157f04810ed97b4abf5aabecb	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
8e66d186c7561bc4c34274f1ab2da1b6f8599f007053dee4c0661d320f0d92e2	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
9327fe5f064e84e9f871a7111dfdd2fc2e5c83654b3092b397cbd60bf3d1b095	hxxp://brettesxes.com/1.php?s=flibabc12
a220e8077eb7dc4e54b059af8981a34fbb4b62aea7076ee79f3899626d91a8e2	hxxp://brettesxes.com/1.php?s=flibabc12
a35227f589263f8fd52453d8b56dbc248751aa0d00f6d4b284fc3c771d516c7e	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
a5b6395b273fb5a4a582876bab4118ba203e858bad704dd7401b4096cb971677	hxxp://brettesxes.com/1.php?s=flibabc12
b3b11faa282eebff5bee6656ae5ec687426fbffcd9612a696e6fb9016ecd6b6e	hxxp://brettesxes.com/1.php?s=flibabc12
b4d74a98b5e91daeb7e0180e16c15886bcf2f2bafeea548b014824070234326f	hxxp://brettesxes.com/1.php?s=flibabc12
b68deb8eb170258ffc4df14f13562c64e1020b5156e8f53a7034a97b9159f580	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
bff9bba19ddc12a64ae816a30f3bed23dc111a49ad410fe5d3e73a016a90d6a7	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
c25ccf0cd6ef844bec3199a9a931851be4f70c2f8f8365c649dc43b75b800696	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
cf4ffe984b6f5b2e262ef72a6158f7a376fdf6e16e0e11d647b072dd254cfa6e	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
d45a3ee194ca62a5be9265215c2cdaedb1d6188e24ebad886fc1d78670c790b6	hxxp://brettesxes.com/1.php?s=flibabc12
d5614657c46eaee882f625efe9c1d8719a79e937c15ec3a395a2138653b620c9	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
d5b5db48b69dd28b22ec589cd7da0ffa96828232b7dd7d4d74da5f1afc26ac99	hxxp://brettesxes.com/1.php?s=flibabc12
d6e5f2e51647d868db7138e95cb673c305b1643580b888911c1fde57edeea522	hxxp://brettesxes.com/1.php?s=flibabc12
d969e8059e019d37f0ab0e562a58c50f35e7a7795f5aa29b0749d5d83ba85ed1	hxxp://brettesxes.com/1.php?s=flibabc12
f5a714720f2949ec411969e52e55db42d02200527918953b20b26f16c67f939e	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
f78220a8b721106389f90f88acdee18c4c5c6a076e2f565ebc1acee0429a7a24	hxxp://pessoresso.com/1.php?s=d5b0c64d-38dd-4503-82b3-c338c2fe4beb
fc34cd9c19d993c58136570d485cef697e1a4f49574317057d81c1ebdcc40028	hxxp://brettesxes.com/1.php?s=flibabc12