OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
Summary
Hide ▲
Show ▼
The OXLOADER malware activity now shows a loader delivering CastleStealer through PowerShell, UAC prompting, and DLL side-loading, giving the stealer a stealthier path to infected Windows systems. The loader's obfuscation layers and anti-VM checks help it avoid static detection and sandbox analysis. That combination increases the chance that the payload executes before defenders can stop it.
Related Happenings
REF8372 malicious Google Ads CastleStealer delivery campaign
Campaign
H score27
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
How related:
According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware.
About this happening:
The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...
REF8372 malicious Google Ads CastleStealer delivery campaign
CampaignHow related: According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware.
About this happening: The **REF8372** campaign now uses **malicious Google Ads** and a fake **Node.js** download site to deliver **OXLOADER** and **CastleStealer**, putting search users at risk of malw...
LeakNet ransomware gang ClickFix and Deno in-memory loader activity
Malware Activity
H score23
First: 17.03.2026 14:09
Last: 17.03.2026 14:09
Sources 1
About this happening:
The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...
LeakNet ransomware gang ClickFix and Deno in-memory loader activity
Malware ActivityAbout this happening: The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware Activity
H score19
First: 03.03.2026 11:20
Last: 03.03.2026 11:20
Sources 1
About this happening:
**ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware ActivityAbout this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
LummaStealer infection surge via CastleLoader
Malware Activity
H score30
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
Campaign
H score33
First: 04.02.2026 19:24
Last: 04.02.2026 19:24
Sources 1
About this happening:
The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT
CampaignAbout this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...
Timeline
-
22.06.2026 16:20 1 articles · 2h ago
Google removes advertiser account tied to malicious ad campaigns
Mitigation Patch UpdateGoogle removed the advertiser account and its ad campaigns on May 14, 2026 after the campaign used malicious Google Ads to direct users to the fake node-js[.]prentiva99[.]info site.
Show sources
- New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer — thehackernews.com — 22.06.2026 16:20
-
22.06.2026 16:20 2 articles · 2h ago
Researchers disclose REF8372 campaign delivering OXLOADER and CastleStealer
Initial DisclosureCybersecurity researchers disclosed REF8372, a campaign that uses malicious Google Ads and a fake node-js[.]prentiva99[.]info site to deliver OXLOADER, a previously unreported loader that downloads a Storj-hosted executable through PowerShell, triggers a Windows User Account Control (UAC) prompt with -Verb RunAs, and uses DLL side-loading to decrypt and execute CastleStealer. The activity is assessed as likely Russian-speaking and financially motivated, with explicit exclusions for machines in the CIS region.
Show sources
- New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer — thehackernews.com — 22.06.2026 16:20
- New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer — thehackernews.com — 22.06.2026 16:20