logo

Lost in relocation: analysis of a new loader distributing CASTLESTEALER

ID: 735ff214-95dc-5e94-a34c-78ca61c7c5ec

STIX ID: report--735ff214-95dc-5e94-a34c-78ca61c7c5ec

Feed Name: Elastic Security Labs

Threat Score
72/100

Date Published: 2026-06-19

Date Updated: 2026-06-19

...
...

Elastic Security Labs identified OXLOADER, a sophisticated Windows loader distributed via malicious Google Ads that stages shellcode in the .reloc section of a copied OCX file, performs multiple sandbox/VM and geographic/language checks (excluding CIS/Russian locales), and loads a Donut-wrapped .NET infostealer called CASTLESTEALER; the report provides technical analysis, anti-analysis/obfuscation details, attack chain reconstruction, and a list of IOCs including hashes and C2 IPs.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.