Full Report
Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the
Analysis Summary
# Tool/Technique: OXLOADER (REF8372 Campaign)
## Overview
OXLOADER is an emerging, sophisticated malware loader used to deliver the **CastleStealer** information stealer. It is distributed via malvertising campaigns (Google Ads) and is characterized by its heavy use of obfuscation and anti-analysis techniques to bypass static detection engines.
## Technical Details
- **Type:** Malware Loader
- **Platform:** Windows
- **Capabilities:** Obfuscation (CFF, MBA), Anti-VM/Anti-Sandbox, DLL Side-loading, CIS-region geofencing.
- **First Seen:** June 2026 (Campaign active through May 2026)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1583.008 - Create or Modify Cloud Accounts: Malvertising]
- **[TA0002 - Execution]**
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- [T1059.001 - Command and Scripting Interpreter: PowerShell]
- [T1204.002 - User Execution: Malicious File]
- **[TA0005 - Evasion]**
- [T1574.002 - Hijack Execution Flow: DLL Side-Loading]
- [T1027 - Obfuscated Files or Information]
- [T1497 - Virtualization/Sandbox Evasion]
- [T1614 - System Location Discovery (CIS countries exclusion)]
- **[TA0009 - Collection]**
- [T1560 - Archive Collected Data (Associated with CastleStealer payload)]
## Functionality
### Core Capabilities
- **Malvertising Delivery:** Leverages fraudulent Google Ads for popular software (e.g., Node.js) to redirect users to malicious domains.
- **Benign Masquerading:** Uses a fake installation wizard UI to distract users while the loader executes in the background.
- **Privilege Escalation Request:** Executes PowerShell with `-Verb RunAs` to force a UAC prompt and gain administrative rights.
- **Staging:** Abuses the Windows `.reloc` section to store and stage secondary shellcode.
- **Geofencing:** Specifically checks for and terminates if the victim machine is located in the Commonwealth of Independent States (CIS) region.
### Advanced Features
- **Sophisticated Obfuscation:** Employs Control-Flow Flattening (CFF), Opaque Predicates, and Mixed Boolean-Arithmetic (MBA) to break static analysis.
- **Self-Modifying Code:** Uses self-modifying decryption stubs to hinder debugging and signature-based detection.
- **Legitimate Infrastructure Abuse:** Utilizes Storj, a decentralized cloud storage platform, to host payloads and bypass domain reputation filters.
## Indicators of Compromise
- **File Hashes:**
- SHA256: `9a9939dff297997732aaade9b243d695632cbd64033c5fbcb9de3d09b7e6c28d` (OXLOADER executable)
- **File Names:**
- Potentially disguised as Node.js installers or image editing tools.
- **Network Indicators:**
- `node-js[.]prentiva99[.]info` (Malicious redirect domain)
- Storj decentralized storage URLs (Payload hosting)
- **Behavioral Indicators:**
- Execution of PowerShell with `-Verb RunAs`.
- Unexpected DLL side-loading in legitimate application directories.
## Associated Threat Actors
- **REF8372:** The specific campaign designation.
- **GrayBravo:** A threat cluster previously associated with **CastleLoader**, which shares the **CastleStealer** final payload.
- **Likely Origin:** Russian-speaking, financially motivated actors (based on geofencing exclusions).
## Detection Methods
- **Behavioral Detection:** Monitor for PowerShell processes requesting elevated privileges (`RunAs`) triggered by browser downloads or script files.
- **Endpoint Monitoring:** Identify unusual `.reloc` section modifications and DLL side-loading events.
- **Network Defense:** Monitor for traffic to decentralized storage platforms (Storj) originating from unauthorized scripts or installers.
## Mitigation Strategies
- **User Education:** Advise users to download software only from official vendor websites rather than sponsored search results.
- **Ad-Blocking:** Implement organizational ad-blocking solutions to reduce the risk of malvertising.
- **UAC Policies:** Enforce strict User Account Control policies and educate users to deny unexpected elevation requests.
- **Application Whitelisting:** Use AppLocker or Windows Defender Application Control (WDAC) to prevent unauthorized batch scripts and loaders from running.
## Related Tools/Techniques
- **CastleStealer:** The .NET information stealer payload delivered by OXLOADER.
- **CastleLoader:** A similar loader associated with the GrayBravo cluster.
- **ClickFix:** A lure technique previously used to deliver related malware.