Do Son 
At a Glance
| Malware family | OXLOADER (loader) delivering CASTLESTEALER (.NET infostealer) |
|---|---|
| Threat actor | Unnamed; suspected Russian-speaking and financially motivated (campaign REF8372) |
| Targets / victims | Windows users in the United States |
| Delivery vector | Malicious Google Ads impersonating Node.js, via a Storj-hosted batch script |
| Key capabilities | Heavy obfuscation, anti-VM checks, .reloc shellcode staging, in-memory payload |
| Source | Elastic Security Labs |
TL;DR
Elastic Security Labs uncovered a new Windows loader called OXLOADER. The OXLOADER malware loader delivers the CASTLESTEALER infostealer through fake Node.js ads. It hides well, with low detection across antivirus engines and sandboxes. Elastic tracks the campaign as REF8372.
How Victims Get Infected
Malvertising through Google Ads
The campaign starts with a search. A user looks for a Node.js download and clicks a sponsored result. That ad leads to a fake Node.js landing page. Elastic says the ads targeted US victims through Google. The ad last appeared on 23 April 2026. Google removed the advertiser account by mid-May 2026. The account carried a verified identity linked to Ukraine. However, Elastic notes this may be a front or a stolen identity.
From batch script to loader
The fake page serves a Windows batch script. Attackers hosted it on Storj, a legitimate file-sharing service. So reputation filters were less likely to block it. The script shows a fake install wizard. Meanwhile, it quietly downloads the loader and requests admin rights through a standard prompt.
Inside the OXLOADER Malware Loader
The OXLOADER malware loader runs before the program’s normal code starts. It unpacks itself in memory using rolling-XOR decryption stubs. The loader also layers four obfuscation tricks. These include control-flow flattening and mixed Boolean-Arithmetic. As a result, tools like IDA Pro struggle to map its functions. Elastic said the loader “abuses the Windows .reloc section to stage shellcode.” Early samples posed as API Monitor, while later ones posed as a Node.js installer.
Five checks to dodge analysis
Before going further, OXLOADER runs five environment checks. It demands at least three CPUs and 3 GB of RAM. It also queries the display refresh rate through WMI. A low rate suggests a virtual machine, so the loader stops. Two more checks exclude CIS countries and Russian-language systems. These exclusions point to a Russian-speaking operator. Elastic said the low detection gives OXLOADER “a window to operate before it gets hunted down.”
A rare .reloc trick
Next, OXLOADER copies a Windows system DLL to a temporary folder. It renames the copy with an .ocx extension. That extension choice inspired the OXLOADER name. The loader then adds a writable, executable section to the file. It stages shellcode inside the .reloc section, which normal programs never use for code. Elastic noted that “legitimate toolchains do not emit code into the .reloc section.” Finally, it loads the modified DLL back into the loader process.
Command and Control and Data Theft
The final stage is the CASTLESTEALER infostealer. OXLOADER delivers it entirely in memory. It wraps the payload with DonutLoader, an open-source shellcode tool. DonutLoader turns .NET assemblies into position-independent shellcode. The chain also uses a Chaskey-LTS cipher and aPLib compression. Huntress first named this stealer CASTLESTEALER. Elastic ties the two through a shared AES key in earlier samples.
Once active, CASTLESTEALER talks to its servers over AES-encrypted channels. Elastic identified two command-and-control servers during its analysis. The stealer targets browser passwords, cookies, session tokens, and crypto wallet files.
How to Defend Against OXLOADER
Treat sponsored search results with care. Download developer tools from official sites, not ads. Block or limit unknown batch scripts and PowerShell downloads. Watch for a renamed system DLL loaded from a temporary folder. Also flag code that lives in a PE file’s .reloc section. Endpoint tools that inspect behavior catch this chain better than static scanners. Scan any machine that downloaded a fake Node.js or API Monitor installer.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
