OXLOADER: new loader evading detection to drop infostealer
Essential information
- Published
- 19/06/2026 02:03
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- anti-vm castlestealer donutloader google ads infostealer malvertising obfuscation oxloader reloc section abuse russian-speaking actor
- Related entities
- 13 indicators, 7 observables, 3 malware
Description
A previously undocumented Windows loader designated as OXLOADER delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns, achieving remarkably low detection rates. The loader employs multiple obfuscation layers including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques, along with self-modifying decryption stubs and abuse of the Windows .reloc section for shellcode staging. Distribution occurs via malvertising impersonating Node.js installations, redirecting victims through intermediary domains to Storj-hosted batch scripts. The loader implements five anti-VM and language checks, including CIS-region and Russian-language exclusions, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload in memory, evading traditional detection mechanisms through deliberate engineering choices.