OXLOADER Malware Loader Spreads CASTLESTEALER via Fake Node.js Ads
ID: 737c63d5-6d86-5cc0-87e4-7026abf9c025
STIX ID: report--737c63d5-6d86-5cc0-87e4-7026abf9c025
Feed Name: securityonline.info
Elastic Security Labs identified a financially motivated malvertising campaign (REF8372) that lures US Windows users with fake Node.js Google Ads to download a Storj-hosted batch installer that drops OXLOADER, a heavily obfuscated loader which stages shellcode in the PE .reloc section and loads the CASTLESTEALER .NET infostealer entirely in memory (via DonutLoader); the stealer exfiltrates browser credentials, cookies, session tokens, and crypto wallet files to AES-protected C2 servers. The report describes delivery, anti-VM and geo/language exclusions, novel .reloc abuse, indicators, and mitigation advice such as avoiding sponsored downloads, blocking unknown batch/PowerShell scripts, and detecting code execution from .reloc sections.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
