THREAT OPS › Threat News › Lost in relocation: analysis of a new loader distributing CASTLESTEALER
Lost in relocation: analysis of a new loader distributing CASTLESTEALER
<p>A previously undocumented Windows loader tracked as OXLOADER is delivering the CASTLESTEALER infostealer via malicious Google Ads, with low detection rates across static engines and sandbox detonations. The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows <code>.reloc</code> sec
MITRE ATT&CK techniques
- Acquire InfrastructureT1583
- Embedded PayloadsT1027.009
- Encrypted/Encoded FileT1027.013
- Bypass User Account ControlT1548.002
- MalvertisingT1583.008
- Malicious FileT1204.002
- System ChecksT1497.001
- Deobfuscate/Decode Files or InformationT1140
- Upload MalwareT1608.001
- MasqueradingT1036
- Reflective Code LoadingT1620
- Browser Information DiscoveryT1217
- Abuse Elevation Control MechanismT1548
- Command and Scripting InterpreterT1059
- Virtualization/Sandbox EvasionT1497
- Stage CapabilitiesT1608
- User ExecutionT1204
- PowerShellT1059.001
- Hijack Execution FlowT1574
- Obfuscated Files or InformationT1027
- System Language DiscoveryT1614.001
- System Location DiscoveryT1614
- Acquire InfrastructureAML.T0008
- Command and Scripting InterpreterAML.T0050
- MasqueradingAML.T0074
- Stage CapabilitiesAML.T0079
- Virtualization/Sandbox EvasionAML.T0097
Indicators of compromise
- ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9sha256
- fdfc7831e5c24cfa80152860dfe8c056ba079f7df1393bf6bb7b18ed974eda37sha256
- de4f51649ec1a33071854aefe93ffb3fc225e19f802d8dd914676dd5dfef2615sha256
- 9a9939dff297997732aaade9b243d695632cbd64033c5fbcb9de3d09b7e6c28dsha256
- c85f2765a6c3c3f3907c17e57df12f8f68826f74bff3bbfd272af50666d065fesha256
- 4ec9d9d4d10ad78fc6d7bda7cb17d52984878ccd2dd4302fd1cef152313b9741sha256
- 39019279686c820c3af5684012a0085a7e2109f612c9fab886dd0577ace5b5c6sha256
- 47758d787209dd1744f58c140102ac91b649df16sha1
- fc37e3c047ebd987619e440c44b465admd5
- 6e0a1f8f77f7011561f6f9ca96b71b8fmd5
- 956c6128e9362e075f8d006c93616a66md5
- https://www.storj.io/url
- http://www.rohitab.com/apimonitorurl
- http://rohitab.comurl
- https://www.virustotal.com/gui/file/ed391a16389234f9ebb6727711baaf3e068d7f77c465708fa3e8b7d0565d7fb9url
- https://link.storjshare.io/raw/jv5uebuqwzfpmtahj34q753ptykq/node/BATPackageBulderSetup.baturl
- https://link.storjshare.io/raw/jvsmdybqmvwep2oawbobp6ub7aza/node/node-v24.15.0-x64-86.exeurl
- node-js.prentiva99.infodomain
- app.miloyannopoulos.comdomain