OXLOADER: new loader evading detection to drop infostealer — Elastic Security Labs
Pulse ID: 6a3a9dbb9322c6f7d139af52
Pulse Link: https://otx.alienvault.com/pulse/6a3a9dbb9322c6f7d139af52
Pulse Author: CyberHunter_NL
Created: 2026-06-23 14:52:43
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #ElasticSecurityLabs #InfoSec #InfoStealer #OTX #OpenThreatExchange #XLoader #bot #CyberHunter_NL
OXLOADER Delivers CastleStealer via Malicious Google Ads
Pulse ID: 6a3a9b8612187e97b9527bd2
Pulse Link: https://otx.alienvault.com/pulse/6a3a9b8612187e97b9527bd2
Pulse Author: cryptocti
Created: 2026-06-23 14:43:18
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #Google #GoogleAds #InfoSec #OTX #OpenThreatExchange #XLoader #bot #cryptocti
OXLOADER: new loader evading detection to drop infostealer
Pulse ID: 6a362a8bcd04d550ae614121
Pulse Link: https://otx.alienvault.com/pulse/6a362a8bcd04d550ae614121
Pulse Author: Tr1sa111
Created: 2026-06-20 05:52:11
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #InfoStealer #OTX #OpenThreatExchange #XLoader #bot #Tr1sa111
OXLOADER: new loader evading detection to drop infostealer
A previously undocumented Windows loader designated as OXLOADER delivers the CASTLESTEALER infostealer through malicious Google Ads campaigns, achieving remarkably low detection rates. The loader employs multiple obfuscation layers including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques, along with self-modifying decryption stubs and abuse of the Windows .reloc section for shellcode staging. Distribution occurs via malvertising impersonating Node.js installations, redirecting victims through intermediary domains to Storj-hosted batch scripts. The loader implements five anti-VM and language checks, including CIS-region and Russian-language exclusions, suggesting a financially motivated Russian-speaking threat actor. OXLOADER uses DonutLoader to deliver the .NET-based CASTLESTEALER payload in memory, evading traditional detection mechanisms through deliberate engineering choices.
Pulse ID: 6a34874a45b9c09ee90c0aff
Pulse Link: https://otx.alienvault.com/pulse/6a34874a45b9c09ee90c0aff
Pulse Author: AlienVault
Created: 2026-06-19 00:03:22
Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #ELF #Google #GoogleAds #InfoSec #InfoStealer #Malvertising #NET #Nodejs #OTX #OpenThreatExchange #RAT #Russia #SMS #ShellCode #Windows #XLoader #bot #AlienVault
Couple #reverseloader -> #xloader #opendir at:
http://107.175.246 .42/25/
http://89.40.31 .143/img/
2026-04-13 (Monday): #XLoader (#Formbook) infection.
A #pcap of the traffic, the associated email and #malware samples are available at https://malware-traffic-analysis.net/2026/04/13/index.html
#CheckPoint Research demonstrated a new way to use #ChatGPT for #malware analysis directly from the web interface, analyzing #XLoader malware. The workflow using exported IDA data enables static analysis, rapid decryption, IoC extraction, and hidden C2 discovery.
https://research.checkpoint.com/2025/generative-ai-for-reverse-engineering/
#malware #opendir #xloader (small one works, big one not so much) at:
https://royfils\.com/encrypt/
2cd9b8fb88e7cbbc5c049441fb61e0aea7be23dc7aa2c109c13abefe7a2ac943
4733feaca04e871d4e0bb052f2437a2f46f10852602ea4f8b2f0170f4838dd87
🤺 AI vs. XLoader: Guess who’s winning?
#CheckPoint Research used generative AI to tear through #XLoader, one of the most encrypted, evasive malware strains — uncovering its secrets in mere hours.
And here’s the twist: It all happened with #ChatGPT. No heavy tooling. No waiting.
#AI is changing the rules of malware analysis, and the race just shifted in our favor: https://blog.checkpoint.com/research/cracking-xloader-with-ai-how-generative-models-accelerate-malware-analysis
OTX Bot
James_inthe_box
Brad
Daniel Kuhl ✌🏻☮️☕️