OXLOADER: new loader evading detection to drop infostealer
OXLOADER is a newly identified Windows malware loader that delivers the CASTLESTEALER infostealer via malicious Google Ads campaigns. It uses advanced obfuscation techniques and anti-virtual machine and language checks to evade detection and avoid certain regions, indicating a financially motivated Russian-speaking threat actor. The loader abuses the Windows .reloc section for shellcode staging and uses DonutLoader to execute the .NET-based payload in memory, further complicating detection efforts. Distribution involves malvertising campaigns impersonating Node.js installers and redirects through intermediary domains to batch scripts hosted on Storj. No patches or fixes are available as this is malware rather than a software vulnerability. The threat is currently observed targeting the United States and is assessed as medium severity.
AI Analysis
Technical Summary
OXLOADER is a previously undocumented Windows loader that delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns. It achieves low detection rates by employing multiple obfuscation layers such as control-flow flattening, opaque predicates, mixed Boolean-Arithmetic techniques, self-modifying decryption stubs, and abuse of the Windows .reloc section for shellcode staging. The loader is distributed via malvertising campaigns impersonating Node.js installations, redirecting victims through intermediary domains to batch scripts hosted on the Storj decentralized storage network. It implements five anti-virtual machine and language checks, including exclusions for CIS-region and Russian-language systems, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload directly in memory, evading traditional detection mechanisms through deliberate engineering choices. There are no known patches or vendor mitigations since this is malware rather than a software vulnerability. Indicators include multiple file hashes, URLs, and domains associated with the campaign. The threat is currently reported targeting the United States.
Potential Impact
The impact of OXLOADER is the delivery and execution of the CASTLESTEALER infostealer on infected Windows systems. This results in the potential theft of sensitive information from victims. The loader's advanced evasion techniques reduce the likelihood of detection by traditional security solutions, increasing the risk of successful compromise. The use of malvertising campaigns for distribution broadens the potential victim pool. The anti-VM and language checks limit exposure to certain regions, focusing the threat on specific targets. There are no known exploits in the wild beyond this campaign, and no official patches or fixes exist since this is malware.
Mitigation Recommendations
As this is malware distributed via malvertising campaigns, there are no patches or official fixes available. Organizations should focus on blocking known indicators of compromise such as the provided hashes, URLs, and domains associated with OXLOADER. Security teams should update detection signatures to identify the obfuscation techniques and payload behaviors described. User awareness training to avoid downloading software from untrusted sources, especially via suspicious ads, is recommended. Network defenses should consider blocking access to the identified malicious domains and URLs. Since the malware uses anti-VM and language checks, monitoring for unusual execution environments may help detect attempts. No vendor advisory indicates that no action is required or that the threat is already mitigated.
Affected Countries
United States
Indicators of Compromise
- hash: 6e0a1f8f77f7011561f6f9ca96b71b8f
- hash: 77cc3c0fecc58b5b696f08858a214969
- hash: 956c6128e9362e075f8d006c93616a66
- hash: 1591ab9bf31f3e22555dd2320d9ab386d8f3a4b8
- hash: 39019279686c820c3af5684012a0085a7e2109f612c9fab886dd0577ace5b5c6
- hash: 4ec9d9d4d10ad78fc6d7bda7cb17d52984878ccd2dd4302fd1cef152313b9741
- hash: 9a9939dff297997732aaade9b243d695632cbd64033c5fbcb9de3d09b7e6c28d
- hash: c85f2765a6c3c3f3907c17e57df12f8f68826f74bff3bbfd272af50666d065fe
- hash: de4f51649ec1a33071854aefe93ffb3fc225e19f802d8dd914676dd5dfef2615
- hash: fdfc7831e5c24cfa80152860dfe8c056ba079f7df1393bf6bb7b18ed974eda37
- url: http://app.miloyannopoulos.com/download
- url: http://app.miloyannopoulos.com/download?subid1=download
- url: http://link.storjshare.io/raw/jux4e4ky5mruo4jkxsssp42sau4q/ruslan/BATPackageBuilderSetup.bat
- url: http://link.storjshare.io/raw/jwwvr4oskkkjsgevt774ta62ehya/ruslan/aBsvwbdas.exe
- url: https://link.storjshare.io/raw/jv5uebuqwzfpmtahj34q753ptykq/node/BATPackageBulderSetup.bat
- url: https://link.storjshare.io/raw/jvsmdybqmvwep2oawbobp6ub7aza/node/node-v24.15.0-x64-86.exe
- domain: node-js.prentiva99.info
OXLOADER: new loader evading detection to drop infostealer
Description
OXLOADER is a newly identified Windows malware loader that delivers the CASTLESTEALER infostealer via malicious Google Ads campaigns. It uses advanced obfuscation techniques and anti-virtual machine and language checks to evade detection and avoid certain regions, indicating a financially motivated Russian-speaking threat actor. The loader abuses the Windows .reloc section for shellcode staging and uses DonutLoader to execute the .NET-based payload in memory, further complicating detection efforts. Distribution involves malvertising campaigns impersonating Node.js installers and redirects through intermediary domains to batch scripts hosted on Storj. No patches or fixes are available as this is malware rather than a software vulnerability. The threat is currently observed targeting the United States and is assessed as medium severity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OXLOADER is a previously undocumented Windows loader that delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns. It achieves low detection rates by employing multiple obfuscation layers such as control-flow flattening, opaque predicates, mixed Boolean-Arithmetic techniques, self-modifying decryption stubs, and abuse of the Windows .reloc section for shellcode staging. The loader is distributed via malvertising campaigns impersonating Node.js installations, redirecting victims through intermediary domains to batch scripts hosted on the Storj decentralized storage network. It implements five anti-virtual machine and language checks, including exclusions for CIS-region and Russian-language systems, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload directly in memory, evading traditional detection mechanisms through deliberate engineering choices. There are no known patches or vendor mitigations since this is malware rather than a software vulnerability. Indicators include multiple file hashes, URLs, and domains associated with the campaign. The threat is currently reported targeting the United States.
Potential Impact
The impact of OXLOADER is the delivery and execution of the CASTLESTEALER infostealer on infected Windows systems. This results in the potential theft of sensitive information from victims. The loader's advanced evasion techniques reduce the likelihood of detection by traditional security solutions, increasing the risk of successful compromise. The use of malvertising campaigns for distribution broadens the potential victim pool. The anti-VM and language checks limit exposure to certain regions, focusing the threat on specific targets. There are no known exploits in the wild beyond this campaign, and no official patches or fixes exist since this is malware.
Mitigation Recommendations
As this is malware distributed via malvertising campaigns, there are no patches or official fixes available. Organizations should focus on blocking known indicators of compromise such as the provided hashes, URLs, and domains associated with OXLOADER. Security teams should update detection signatures to identify the obfuscation techniques and payload behaviors described. User awareness training to avoid downloading software from untrusted sources, especially via suspicious ads, is recommended. Network defenses should consider blocking access to the identified malicious domains and URLs. Since the malware uses anti-VM and language checks, monitoring for unusual execution environments may help detect attempts. No vendor advisory indicates that no action is required or that the threat is already mitigated.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.elastic.co/security-labs/oxloader-malware-loader-infostealer"]
- Adversary
- null
- Pulse Id
- 6a34874a45b9c09ee90c0aff
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash6e0a1f8f77f7011561f6f9ca96b71b8f | — | |
hash77cc3c0fecc58b5b696f08858a214969 | — | |
hash956c6128e9362e075f8d006c93616a66 | — | |
hash1591ab9bf31f3e22555dd2320d9ab386d8f3a4b8 | — | |
hash39019279686c820c3af5684012a0085a7e2109f612c9fab886dd0577ace5b5c6 | — | |
hash4ec9d9d4d10ad78fc6d7bda7cb17d52984878ccd2dd4302fd1cef152313b9741 | — | |
hash9a9939dff297997732aaade9b243d695632cbd64033c5fbcb9de3d09b7e6c28d | — | |
hashc85f2765a6c3c3f3907c17e57df12f8f68826f74bff3bbfd272af50666d065fe | — | |
hashde4f51649ec1a33071854aefe93ffb3fc225e19f802d8dd914676dd5dfef2615 | — | |
hashfdfc7831e5c24cfa80152860dfe8c056ba079f7df1393bf6bb7b18ed974eda37 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://app.miloyannopoulos.com/download | — | |
urlhttp://app.miloyannopoulos.com/download?subid1=download | — | |
urlhttp://link.storjshare.io/raw/jux4e4ky5mruo4jkxsssp42sau4q/ruslan/BATPackageBuilderSetup.bat | — | |
urlhttp://link.storjshare.io/raw/jwwvr4oskkkjsgevt774ta62ehya/ruslan/aBsvwbdas.exe | — | |
urlhttps://link.storjshare.io/raw/jv5uebuqwzfpmtahj34q753ptykq/node/BATPackageBulderSetup.bat | — | |
urlhttps://link.storjshare.io/raw/jvsmdybqmvwep2oawbobp6ub7aza/node/node-v24.15.0-x64-86.exe | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainnode-js.prentiva99.info | — |
Threat ID: 6a34ff64f198dc38c1cec3e5
Added to database: 6/19/2026, 8:35:48 AM
Last enriched: 6/19/2026, 8:49:59 AM
Last updated: 6/19/2026, 4:33:17 PM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.