CASTLESTEALER
Intelligence Profile
According to Elastic Security Labs, CASTLESTEALER is a .NET-based information-stealing malware family that is delivered in-memory by the OXLOADER loader using DonutLoader-generated shellcode. It is embedded as an encrypted and compressed .NET assembly that is decrypted, decompressed, and reflectively executed in memory to minimize on-disk artifacts. The family uses AES-encrypted communications with its command-and-control infrastructure, with a characteristic hard-coded key that has been reused across samples. As an infostealer targeting Windows environments, it is designed to collect sensitive data (such as user credentials and other information) and interacts with the system in memory to support discovery and data exfiltration while evading conventional detection.
Threat Analysis
CASTLESTEALER is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.