Lost in relocation: analysis of a new loader distributing CASTLESTEALER
ID: 735ff214-95dc-5e94-a34c-78ca61c7c5ec
STIX ID: report--735ff214-95dc-5e94-a34c-78ca61c7c5ec
Feed Name: Elastic Security Labs
Elastic Security Labs identified OXLOADER, a sophisticated Windows loader distributed via malicious Google Ads that stages shellcode in the .reloc section of a copied OCX file, performs multiple sandbox/VM and geographic/language checks (excluding CIS/Russian locales), and loads a Donut-wrapped .NET infostealer called CASTLESTEALER; the report provides technical analysis, anti-analysis/obfuscation details, attack chain reconstruction, and a list of IOCs including hashes and C2 IPs.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
