Several American and European organizations across the energy, oil and gas, and legal sectors were recently targeted by a campaign leveraging MintsLoader, a malware loader that delivers malicious software to a victim’s device. To evade detection, MintsLoader employs stealthy techniques, such as domain generation algorithm (DGA), to create new command-and-control (C&C) servers.

The eSentire Threat Response Unit (TRU) published 61 indicators of compromise (IoCs) involved in the ongoing MintsLoader campaign. The list comprised 57 domain names and four IP addresses, which the WhoisXML API research team analyzed and expanded. By the end of our analysis, we uncovered more threat artifacts, including:

• Two additional IP addresses, one of which turned out to be malicious
• 46 IP-connected domains, 27 of which were malicious
• 142 string-connected domains, 25 of which turned out to be malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the IoCs

This part of our investigation aimed to identify the characteristics of the IoCs. To begin, we queried the 57 domains tagged as IoCs on Bulk WHOIS API and found that only 50 had current WHOIS records. Here’s a breakdown of their record details.

• A total of 48 domains were administered by NiceNIC International Group, while the other two were under Global Domain Group.

  

• Almost all of the domain IoCs were created between December 2024 and January 2025. More than half of the domain IoCs, 30 to be exact, were registered in January 2025, 19 were created in December 2024, and one was registered in June 2024. Seven domain IoCs did not have current creation dates.

  

• All other WHOIS data points, including registrant name, email address, organization, and country, have been redacted for privacy.

A DNS Chronicle API query for the 57 domains tagged as IoCs revealed that only 35 had historical IP resolutions. They collectively posted a total of 94 IP resolutions over time. The IoC xaides[.]com recorded the earliest IP resolution date—26 November 2021. This was a telltale sign that the domain was old and possibly only reregistered on its current WHOIS creation date—2 January 2025. DNS Chronicle API further revealed that the domain IoC immediately resolved to an IP address a few hours after it was reregistered.

Short mobilization windows between WHOIS creation and IP resolution were common among the other domain IoCs. The table below shows the current total number of IP resolutions, current WHOIS creation dates, and first and last IP resolution dates for five other domain IoCs.

Note that according to eSentire, MintsLoader is an ongoing campaign. Hence, we detected active IP resolutions for the IoCs on the day of the DNS Chronicle API queries.

Our Bulk IP Geolocation Lookup query on the four IP addresses tagged as IoCs revealed that:

• Two IP addresses were geolocated in the U.S., one in Russia, and another in Germany.



• Only one IP address had an ISP on record, namely, Hostinger.

We then queried the four IP addresses on DNS Chronicle API, which revealed that three had historical domain resolutions. Altogether, they posted 113 domain resolutions over time. The IP address 45[.]61[.]136[.]138 recorded the earliest first domain resolution date (i.e., 2 March 2022) and had a total of 79 domain resolutions up until 17 January 2025.

IoC List Expansion Analysis Findings

The next part of our investigation pivoted off the IoCs and the abovementioned characteristics to look for more threat artifacts. As our first step, we queried the 57 domains tagged as IoCs on DNS Lookup API and found that seven actively resolved to two IP addresses after duplicates and those already identified as IoCs were filtered out.

Threat Intelligence API queries for the two additional IP addresses revealed that one of them was malicious, having been associated with malware attacks. A bulk IP geolocation lookup for the two additional IP addresses showed that:

• They were geolocated in the U.S.
• None of them had ISPs on record, similar to most of the IP addresses tagged as IoCs.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.