THREATOPS
THREAT OPSThreat News › Lost in relocation: analysis of a new loader distributing CASTLESTEALER

Lost in relocation: analysis of a new loader distributing CASTLESTEALER

medelastic_securityPublished 2026-06-19

<p>A previously undocumented Windows loader tracked as OXLOADER is delivering the CASTLESTEALER infostealer via malicious Google Ads, with low detection rates across static engines and sandbox detonations. The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows <code>.reloc</code> sec

MITRE ATT&CK techniques

Indicators of compromise

Original source: https://www.elastic.co/security-labs/oxloader-malware-loader-infostealer