Cybersecurity researchers have identified a new campaign, designated REF8372, which utilizes a previously undocumented malware loader known as OXLOADER to deliver the CastleStealer infostealer. The attack chain begins with malicious Google Ads targeting users searching for legitimate software like Node.js. These ads redirect victims to fraudulent websites hosting malicious batch scripts on the decentralized Storj cloud storage platform.
OXLOADER employs sophisticated evasion techniques, including control-flow flattening, mixed Boolean-Arithmetic, and self-modifying decryption stubs. It further abuses the Windows .reloc section for shellcode staging and utilizes DLL side-loading to execute its payload. CastleStealer, a .NET-based information stealer, is then deployed to harvest sensitive data, while specifically excluding machines within the CIS region to avoid infecting local systems.
Top comments (0)