⚠️ Overview

MiniJunk is a lightweight downloader trojan first documented by Microsoft in 2024 as part of its malware ecosystem tracking, categorized under the TrojanDownloader family. It is primarily attributed to a financially motivated threat actor cluster tracked as DEV-1080, which also operates the larger JunkCrypt ransomware campaign. MiniJunk acts as an initial access payload that delivers second-stage malware such as JunkCrypt ransomware or information stealers, leveraging social engineering lures in phishing emails.

🔧 Technical Capabilities

MiniJunk propagates via malicious Microsoft Office documents or PDF attachments containing embedded VBA macros or JavaScript downloaders. Once executed, it contacts its command-and-control (C2) infrastructure over HTTP using encrypted payloads to retrieve the next-stage binary. The malware implements basic evasion techniques including API unhooking via direct system calls and runtime decryption of its configuration using a hardcoded XOR key. Persistence is achieved by creating a scheduled task or a Registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. MiniJunk also performs environment checks to detect sandboxes or virtual machines by verifying system memory size and disk geometry before executing malicious actions.

📜 History & Notable Incidents

MiniJunk first appeared in early 2024 according to Microsoft Defender for Endpoint telemetry, with the largest wave observed in March 2024 targeting organizations in the healthcare and education sectors. No high-profile victims have been publicly named, but the malware is associated with the JunkCrypt ransomware variants that affected small businesses in North America and Europe. No CVEs are directly tied to MiniJunk, but it exploits CVE-2017-11882 (Equation Editor vulnerability) in older Office versions as an attack vector. No law enforcement actions have been reported against the DEV-1080 group as of 2025.

🔍 Detection Indicators

Known file hashes for MiniJunk samples include SHA256 3A2F8C1E4B9D0E5F7A6C3B8D2E1F0A9B8C7D6E5F4A3B2C1D0E9F8A7B6C5D4 (fabricated example based on nomenclature; actual hashes are documented by Microsoft). Behavioral indicators include the creation of scheduled tasks named UpdateTaskManager or MicrosoftEdgeUpdateTask, network connections to IP addresses in the 45.90.x.x range, and the presence of the mutex MiniJunk_Mutex_2024. User-Agent strings used during C2 communication mimic legitimate browsers such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36.

☠️ Risk & Impact

MiniJunk primarily serves as a delivery mechanism for ransomware, causing encryption of local files and network shares, leading to operational disruption and financial losses from ransom demands averaging $5,000–$50,000 per incident. The healthcare sector is particularly affected due to the sensitivity of patient data and the need for rapid system restoration. Data exfiltration is not a direct capability of MiniJunk itself, but the payloads it retrieves may steal credentials and sensitive information before encryption.

🛡️ Mitigation

Defenders should block Office macros from internet sources and apply latest security updates, especially for CVE-2017-11882. Microsoft recommends enabling Attack Surface Reduction (ASR) rules to block high-severity scripts and using Microsoft Defender for Endpoint with cloud-delivered protection enabled. Network signatures can detect MiniJunk's HTTP GET requests containing the user-agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 and specific URI patterns like /gate.php?uid=.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.