HOMETHREATSCASTLESTEALER
APT / THREAT GROUP

CASTLESTEALER

2
aliases
Last seen:Jun 26, 2026

Intelligence Profile

According to Elastic Security Labs, CASTLESTEALER is a .NET-based information-stealing malware family that is delivered in-memory by the OXLOADER loader using DonutLoader-generated shellcode. It is embedded as an encrypted and compressed .NET assembly that is decrypted, decompressed, and reflectively executed in memory to minimize on-disk artifacts. The family uses AES-encrypted communications with its command-and-control infrastructure, with a characteristic hard-coded key that has been reused across samples. As an infostealer targeting Windows environments, it is designed to collect sensitive data (such as user credentials and other information) and interacts with the system in memory to support discovery and data exfiltration while evading conventional detection.

Threat Analysis

CASTLESTEALER is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Intelligence Reports Mentioning CASTLESTEALER

External References

Quick Facts

TypeAPT / Threat Group
Aliases2

Also Known As

win.castle_stealerCASTLESTEALER

External Intelligence

Malpedia: win.castle_stealer

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.