Lost in relocation: analysis of a new loader distributing CASTLESTEALER
A newly discovered Windows loader, OXLOADER, is being distributed via malicious Google Ads impersonating Node.js to deliver the CASTLESTEALER infostealer. The loader utilizes advanced evasion techniques, including control-flow flattening, anti-sandbox checks, and staging shellcode within the .reloc section of a copied system DLL, to maintain low detection rates across static engines.
- domainapp[.]miloyannopoulos[.]comMalvertising redirector domain
- domainnode-js[.]prentiva99[.]infoMalicious landing page impersonating Node.js deployment platform
- ip89[.]124[.]115[.]82CASTLESTEALER Command and Control (C2) server
- ip89[.]124[.]95[.]161CASTLESTEALER Command and Control (C2) server
- sha25639019279686c820c3af5684012a0085a7e2109f612c9fab886dd0577ace5b5c6CASTLESTEALER infostealer payload
- sha2564ec9d9d4d10ad78fc6d7bda7cb17d52984878ccd2dd4302fd1cef152313b9741CASTLESTEALER infostealer payload
- sha2569a9939dff297997732aaade9b243d695632cbd64033c5fbcb9de3d09b7e6c28dapimonitor-x64.exe - OXLOADER payload masquerading as API Monitor
- sha256c85f2765a6c3c3f3907c17e57df12f8f68826f74bff3bbfd272af50666d065fenode-v24.15.0-x64-86.exe - Second variant OXLOADER payload
- sha256de4f51649ec1a33071854aefe93ffb3fc225e19f802d8dd914676dd5dfef2615BATPackageBulderSetup.bat - Second variant downloader script
- sha256fdfc7831e5c24cfa80152860dfe8c056ba079f7df1393bf6bb7b18ed974eda37BATPackageBuilderSetup.bat - OXLOADER downloader and launcher script
- urlhxxps://link[.]storjshare[.]io/raw/jv5uebuqwzfpmtahj34q753ptykq/node/BATPackageBulderSetup[.]batStorj URL hosting the second variant batch script
- urlhxxps://link[.]storjshare[.]io/raw/jvsmdybqmvwep2oawbobp6ub7aza/node/node-v24[.]15[.]0-x64-86[.]exeStorj URL hosting the second variant OXLOADER executable
Detection / HunterGoogle
What Happened
Cybercriminals are using fake Google Ads for popular software like Node.js to trick users into downloading a new malicious program called OXLOADER. Once installed, OXLOADER sneaks past security defenses to deliver a secondary malware known as CASTLESTEALER, which is designed to steal sensitive information from the victim's computer. This attack specifically targets users outside of Russia and neighboring countries, suggesting the attackers are financially motivated and based in that region. Organizations should ensure their security software is up to date and train employees to verify the authenticity of software downloads from search engine advertisements.
Key Takeaways
- A new Windows loader named OXLOADER is distributing the CASTLESTEALER infostealer via malicious Google Ads.
- The threat actor uses CIS-region and Russian-language exclusions, indicating a financially motivated, Russian-speaking origin.
- OXLOADER employs advanced obfuscation, including control-flow flattening, mixed Boolean-Arithmetic, and self-modifying decryption stubs.
- The loader evades detection by staging shellcode in the .reloc section of a copied Windows DLL.
- The attack chain abuses legitimate services like Storj for payload hosting to bypass domain reputation filters.
Affected Systems
- Windows
Attack Chain
The attack begins with a user clicking a malicious Google Ad impersonating Node.js, which redirects them to a Storj-hosted batch script. This script downloads and executes the OXLOADER payload using PowerShell with elevated privileges. OXLOADER unpacks itself in memory, performs extensive anti-analysis and geographic checks, and stages shellcode within a newly created section of a copied system DLL. Finally, the loader executes a DonutLoader-generated payload that decrypts and runs the CASTLESTEALER infostealer in memory.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: Elastic Security
Elastic Security provides YARA rules for detecting OXLOADER and CASTLESTEALER, as well as several behavioral detection rules for identifying the evasion and execution techniques used.
Detection Engineering Assessment
EDR Visibility: High — The malware performs highly anomalous actions such as copying system DLLs, creating RWX memory sections, and injecting shellcode, which are typically well-monitored by modern EDR solutions. Network Visibility: Medium — Initial payload delivery relies on legitimate services like Storj, which may blend in with normal traffic, but C2 communication to known malicious IPs can be detected. Detection Difficulty: Moderate — While the static obfuscation is heavy, the behavioral footprint (e.g., copying dui70.dll, UAC elevation via PowerShell, WNetAddConnection2W with malformed names) provides solid detection opportunities.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- Network Connections (Sysmon Event ID 3)
- File Creation (Sysmon Event ID 11)
- Image Loaded (Sysmon Event ID 7)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for processes making network connections to malformed resource names like '*72s@1s' via WNetAddConnection2W, which may indicate anti-sandbox evasion. | API monitoring / EDR telemetry | Defense Evasion | Low |
| If you have visibility into file creation events, consider hunting for copies of 'dui70.dll' being dropped into temporary directories with a '.ocx' extension. | File Creation logs | Defense Evasion | Low |
| Consider hunting for batch scripts launching PowerShell with the '-Verb RunAs' parameter to trigger UAC elevation, especially when originating from browser downloads. | Process Creation logs with command-line arguments | Privilege Escalation | Medium |
Control Gaps
- Domain reputation filtering may fail due to the abuse of legitimate services like Storj.
- Static AV signatures may miss the payload due to heavy obfuscation and self-modifying code.
Key Behavioral Indicators
- Copying of C:\Windows\System32\dui70.dll to a .ocx file
- Creation of an .xtext section in a loaded DLL
- WNetAddConnection2W called with malformed resource '*72s@1s'
- PowerShell execution with '-Verb RunAs' from a batch script
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the identified CASTLESTEALER C2 IP addresses at the perimeter firewall.
- If your EDR supports it, consider isolating endpoints that exhibit the behavioral indicators associated with OXLOADER.
Infrastructure Hardening
- Evaluate whether access to file-sharing services like Storj can be restricted or heavily monitored if not required for business operations.
- Consider enforcing application control policies to prevent the execution of unsigned or untrusted binaries from temporary directories.
User Protection
- Consider implementing strict UAC enforcement to prevent silent or easily approved privilege escalation by malicious scripts.
- Evaluate whether browser-based protections can be enhanced to block known malicious ad networks or warn users about suspicious downloads.
Security Awareness
- Consider rolling out training on the risks of malvertising and how to verify the authenticity of software downloads from search engine results.
- Remind users to be cautious of unexpected UAC prompts during software installation.
MITRE ATT&CK Mapping
- T1583.008 - Acquire Infrastructure: Malvertising
- T1608.001 - Stage Capabilities: Upload Malware
- T1204.002 - User Execution: Malicious File
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
- T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
- T1140 - Deobfuscate/Decode Files or Information
- T1027.009 - Obfuscated Files or Information: Embedded Payloads
- T1036.005 - Masquerading: Match Legitimate Name or Location
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- T1497.001 - Virtualization/Sandbox Evasion: System Checks
- T1614.001 - System Location Discovery: System Language Discovery
- T1620 - Reflective Code Loading
Additional IOCs
- Urls:
link.storjshare.io/raw/jux4e4ky5mruo4jkxsssp42sau4q/ruslan/BATPackageBuilderSetup.bat- Storj URL hosting the initial batch scriptlink.storjshare.io/raw/jwwvr4oskkkjsgevt774ta62ehya/ruslan/aBsvwbdas.exe- Storj URL hosting the OXLOADER executablehxxps://link[.]storjshare[.]io/raw/jv5uebuqwzfpmtahj34q753ptykq/node/BATPackageBulderSetup.bat- Storj URL hosting the second variant batch scripthxxps://link[.]storjshare[.]io/raw/jvsmdybqmvwep2oawbobp6ub7aza/node/node-v24.15.0-x64-86.exe- Storj URL hosting the second variant OXLOADER executable
- File Hashes:
de4f51649ec1a33071854aefe93ffb3fc225e19f802d8dd914676dd5dfef2615(sha256) - BATPackageBulderSetup.bat - Second variant downloader scriptc85f2765a6c3c3f3907c17e57df12f8f68826f74bff3bbfd272af50666d065fe(sha256) - node-v24.15.0-x64-86.exe - Second variant OXLOADER payload39019279686c820c3af5684012a0085a7e2109f612c9fab886dd0577ace5b5c6(sha256) - CASTLESTEALER infostealer payload
- Command Lines:
- Purpose: Launch the downloaded OXLOADER payload with elevated privileges | Tools:
PowerShell,cmd.exe| Stage: Execution / Privilege Escalation |Start-Process -FilePath <payload.exe> -Verb RunAs
- Purpose: Launch the downloaded OXLOADER payload with elevated privileges | Tools:
