OXLOADER: new loader evading detection to drop infostealer

A previously undocumented Windows loader designated as OXLOADER delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns, achieving remarkably low detection rates. The loader employs multiple obfuscation layers including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques, along with self-modifying decryption stubs and abuse of the Windows .reloc section for shellcode staging. Distribution occurs via malvertising impersonating Node.js installations, redirecting victims through intermediary domains to Storj-hosted batch scripts. The loader implements five anti-VM and language checks, including CIS-region and Russian-language exclusions, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload in memory, evading traditional detection mechanisms through deliberate engineering choices.

Pulse ID: 6a34874a45b9c09ee90c0aff
Pulse Link: https://otx.alienvault.com/pulse/6a34874a45b9c09ee90c0aff
Pulse Author: AlienVault
Created: 2026-06-19 00:03:22

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ELF #Google #GoogleAds #InfoSec #InfoStealer #Malvertising #NET #Nodejs #OTX #OpenThreatExchange #RAT #Russia #SMS #ShellCode #Windows #XLoader #bot #AlienVault

ClickFix Is Now Hiring: From Job Platform Impersonation to Python-Based RAT Delivery

A multi-stage phishing campaign emerged in early May 2026, impersonating LinkedIn and Indeed through typosquatted domains to deliver malicious payloads. The attack chain begins with fake CAPTCHA pages distributed via Google Ads, leveraging the legacy Finger protocol and native Windows utilities. Victims are tricked into executing commands that deploy portable Python runtimes (CPython or IronPython), which then execute in-memory shellcode. The campaign delivers CastleLoader, a Malware-as-a-Service framework using ChaCha20 and RC4 encryption for C2 communications, followed by a Python-based remote access trojan. The RAT provides interactive shell control, in-memory payload execution, and persistence mechanisms. The campaign represents an evolution of browser-based social engineering, combining Living-off-the-Land binaries with Python-based delivery to maintain a fileless footprint and evade detection through legitimate system utilities.

Pulse ID: 6a2201a331661aba15d362d1
Pulse Link: https://otx.alienvault.com/pulse/6a2201a331661aba15d362d1
Pulse Author: AlienVault
Created: 2026-06-04 22:52:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CAPTCHA #ChaCha20 #CyberSecurity #Encryption #Google #GoogleAds #InfoSec #LinkedIn #Malware #MalwareAsAService #OTX #OpenThreatExchange #Phishing #Python #RAT #RemoteAccessTrojan #SMS #ShellCode #SocialEngineering #Trojan #Windows #bot #AlienVault

The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP

Cybercriminals in Brazil are exploiting the country's electronic invoice system (Nota Fiscal eletrônica) to deliver Havoc framework implants. The campaign surfaced during May 2026, coinciding with tax season when accountants routinely process invoice-related emails. Attackers distribute malicious ZIP files disguised as legitimate invoices, containing VBScript droppers that download MSI installers from Google Cloud Storage. These installers deploy a fake Microsoft Defender DLP module (endpointdlp.dll) alongside a legitimate signed executable. The stager DLL downloads Havoc demon shellcode from command-and-control infrastructure at runtime, never writing the final payload to disk. Analysis reveals nine stager variants originating from a single builder, distributed through multiple channels including Brazilian NF-e-themed lures and Malaysia-registered domains. The implant establishes persistence through the rarely-monitored UserInitMprLogonScript registry key and employs advanced anti-forensic techniques incl...

Pulse ID: 6a20a73fc005e1fc15255876
Pulse Link: https://otx.alienvault.com/pulse/6a20a73fc005e1fc15255876
Pulse Author: AlienVault
Created: 2026-06-03 22:14:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #Cloud #CyberSecurity #Email #Endpoint #Google #InfoSec #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #ShellCode #VBS #ZIP #bot #AlienVault

Reloaded in a modern Remcos RAT Infection

Analysts discovered a new Remcos RAT infection chain starting with a batch file executing encoded commands that creates hidden directories and retrieves encrypted payloads. Unlike earlier campaigns relying on PowerShell-hosted .NET loaders, this variant incorporates DonutLoader shellcode and AutoIt-based staging for in-memory payload delivery. The infection begins with a phishing email containing a malicious batch file named Bestellung.CMD. The chain abuses legitimate Windows utilities including cscript.exe and SyncAppvPublishingServer.vbs to execute Base64-encoded payloads. Additional components are downloaded from cloud storage, including 7Zip tools and password-protected archives containing obfuscated JScript. The final payload consists of DonutLoader shellcode that injects Remcos RAT version 7.2.1 Pro into colorcpl.exe, enabling remote control, credential harvesting, keystroke logging, and additional payload deployment.

Pulse ID: 6a1a2dd905d9f8c4474cb45e
Pulse Link: https://otx.alienvault.com/pulse/6a1a2dd905d9f8c4474cb45e
Pulse Author: AlienVault
Created: 2026-05-30 00:22:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#7Zip #Autoit #Cloud #CredentialHarvesting #CyberSecurity #Email #InfoSec #NET #OTX #OpenThreatExchange #Password #Phishing #PowerShell #RAT #Remcos #RemcosRAT #ShellCode #VBS #Windows #Word #ZIP #bot #AlienVault

New blog post!

This time I talk about my new favorite evasive shellcode loader, Charon. I give a brief overview about what it does, how it works and which techniques it uses.

Also a brief addendum for enjoyers of bloated Implants such as Sliver.

https://ti-kallisti.com/general/ms/descending-into-hades.html

#InfoSec #Malware #Shellcode #RedTeam #RedTeaming #Pentesting #Charon #Sliver #Merlin #Mythic

If the Kardashians launched their own framework it would be Kommand and Kontrol (K2).

The Momager (Kris.exe or Kris.sh): The primary C2 listener.
The Glow Up: Privesc
Keeping Up: Lateral movement

#C2Framework #RedTeaming #PostExploitation #MalwareDevelopment #Infosec #CyberSecurity #EDRBypass #ActiveDirectory #PenTesting #ThreatHunting #MITREATTACK #APTHunting #Shellcode #ZeroDay #Persistence #Exfiltration #BlueTeam #PurpleTeaming #kardashians

This multi-part blog series is discussing an undocumented feature of Windows: instrumentation callbacks (ICs).

In part 4 we cover ICs from a more theoretical standpoint. Mainly restrictions on unsetting them, how set ICs can be detected and how new ones can be prevented from being set.

Learn more at https://cirosec.de/en/news/windows-instrumentation-callbacks-part-4/

#Blog #Windows #Shellcode #RedTeaming #ReverseEngineering

Dumb Question: what is the license of the shellcode in ShellStorm's Shellcodes Database? I cannot find any mention of a license on the website. People have started creating their own git repos to mirror the website's contents, also without any mention of a license or copyright. I feel like this is a big copyright/licensing legal problem waiting to happen.

Also, what if you only copy/paste in the hex bytes from the assembled shellcode into another project? What if you add comments with the assembly source code next to each line of hex bytes? Is that considered "derived work"?

/cc @JonathanSalwan

#shellcode #shellstorm

How would you prefer to name macros that generate syscalls in assembly?

#namingthings #syscalls #assembly #asm #shellcode