BradFeb 2

NOTE: This has been updated to correct the malware names. Thanks, @netresec!

2026-02-02 (Monday) #KongTuke #ClickFix activity leads to #MintsLoader and #GhostWeaver #RAT

Today, the ClickFix text uses the "finger" command, which is a tactic used by KongTuke and other ClickFix campaigns in previous weeks/months.

A #pcap of the infection traffic, some artifacts, and further details are available at https://www.malware-traffic-analysis.net/2026/02/02/index.html

Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²Feb 2
@malware_traffic 173.232.146.62:25658 looks like GhostWeaver rather than AsyncRAT
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²Feb 2
@malware_traffic This blog post has good details on GhostWeaver vs. AsyncRAT
https://www.recordedfuture.com/research/uncovering-mintsloader-with-recorded-future-malware-intelligence-hunting
MintsLoader Malware Analysis: Multi-Stage Loader Used by TAG-124 and SocGholish

Discover how MintsLoader operates as a stealthy, obfuscated malware loader distributing GhostWeaver, StealC, and BOINC. Read Recorded Future’s in-depth analysis of its evasion tactics, DGA-based C2s, and use in phishing and drive-by campaigns.

Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²Feb 2
@malware_traffic The traffic to sbwur1[.]top / gecdfcjcbcmmakk[.]top / 64.52.80.153 behaves like MintsLoader
Show threadBradFeb 2
@netresec Thanks! When I have time, I'll update the blog post to reflect this info!
Show threadπ™½π™΄πšƒπšπ™΄πš‚π™΄π™²Feb 2
@malware_traffic You're welcome. The MintsLoader/GhostWeaver parts of the infection chain is the same as in your "2026-01-08 KongTuke ClickFix", which I analyzed here:
https://netresec.com/?b=261f535
Decoding malware C2 with CyberChef

This video tutorial demonstrates how malware XOR encrypted and obfuscated C2 traffic can be decoded with CyberChef. The analyzed PCAP files can be downloaded from malware-traffic-analysis.net. CyberChef recipe to decode the reverse shell traffic to 103.27.157.146:4444: From_Hex('Auto') XOR({'option'[...]

Netresec
Show threadBrad
@netresec Lol, I've been calling this Async RAT ever since I first saw it, and no one reached out to correct me about it until now. Thanks!
Feb 2 at 9:11pmWeb