Hi, The existing MintsLoader sigs don’t detect these more recent MD5s (available on tria.ge). [1:2057741:2] ET MALWARE TA582 CnC Checkin does but it is also dependent on the DGA remaining using .top domains and not changing so this is another detection.
alert http $HOME_NET any → $EXTERNAL_NET any (msg:“ET MALWARE MintsLoader CnC Activity (GET) M2”; flow:established,to_server; http.method; content:“GET”; nocase; http.uri; content:“.php?id=”; content:“&key=”; distance:0; content:“&s=”; distance:0; pcre:“/&key=\d{11,12}&s=/”; http.user_agent; content:“WindowsPowerShell/”; nocase; classtype:trojan-activity; reference:url,go.recordedfuture.com/hubfs/reports/cta-2025-0429.pdf; reference:md5,dc9c6e67b962077810aa1363ccf371bc; reference:md5,555176dda034be756720e0b60f753da4; sid:165001; rev:1;)
Kind Regards,
Kevin Ross