All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Security
Security
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

OXLOADER Malware Uses Advanced Obfuscation and Google Ads to Deploy CastleStealer Infostealer

By

HackMoN Ai

2h ago· 8 min readenNews
technologycybersecuritynewsmalware analysis

Summary

A newly discovered Windows malware loader called OXLOADER is being used in malvertising campaigns (malicious Google Ads) to deliver the CASTLESTEALER infostealer. The loader employs advanced obfuscation techniques including control-flow flattening, opaque predicates, and Mixed Boolean-Arithmetic (MBA) obfuscation, along with abusing the Windows .reloc section to stage shellcode. This multi-layered approach allows OXLOADER to achieve very low detection rates across static antivirus engines and automated sandbox environments, making it a significant emerging threat in the cybersecurity landscape.

Source

bskyOXLOADER Malware Uses Advanced Obfuscation and Google Ads to Deploy CastleStealer Infostealerundercodetesting.com

Key quotes

· 2 pulled
A previously undocumented Windows malware loader tracked as OXLOADER has been discovered delivering the CASTLESTEALER infostealer through malicious Google Ads campaigns, achieving remarkably low detection rates across static antivirus engines and automated sandbox environments.
This sophisticated attack chain combines multiple obfuscation layers—including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic (MBA) obfuscation—with abuse of the Windows .reloc section to stage shellcode, enabling the loader to fly under the radar.
Snippet from the RSS feed
OXLOADER: The New Stealth Loader Evading Detection to Deploy CastleStealer via Malvertising + Video - "Undercode Testing": Monitor hackers like a pro. Get

You might also wanna read

JDownloader website hacked, served malware to Windows and Linux users for over a day

The JDownloader website was compromised by attackers who replaced legitimate download files with malware for over a day, targeting Windows a

Neowin·1mo ago

GlassWorm: First Self-Propagating Worm Targets VS Code Extensions with Invisible Code

Researchers have discovered GlassWorm, the world's first self-propagating worm targeting VS Code extensions on the OpenVSX marketplace. This

koi.ai·8mo ago

SVG Clickjacking: A New Technique for Advanced Interactive Attacks and Data Exfiltration

The article introduces a novel cybersecurity technique called "SVG clickjacking" that significantly enhances traditional clickjacking attack

lyra.horse·6mo ago

Supply Chain Attacks on Open-Source Software: Case Study of Malicious Pull Request Attempts

The article discusses recent supply chain attacks on open-source software projects like LiteLLM and axios, with a specific case study of att

casco.com·2mo ago

Glassworm Threat Actor Returns with Unicode-Based Supply Chain Attacks on GitHub, npm, and VS Code

The Glassworm threat actor has returned with a new wave of supply chain attacks using invisible Unicode characters to compromise software re

aikido.dev·3mo ago

How LD_PRELOAD Can Be Used to Steal Cryptocurrency Wallet Keys Undetected

This article explains how the LD_PRELOAD environment variable can be exploited to steal private keys from Solana validators without detectio

bomfather.dev·8mo ago

Comments

Sign in to join the conversation.

No comments yet. Be the first.