CASTLESTEALER is a sophisticated information-stealing malware that operates almost entirely in your computer's memory, making it exceptionally difficult to detect with traditional antivirus software. Developed in .NET and typically delivered through a loader called OXLOADER, this threat is designed specifically to harvest sensitive data from Windows machines while leaving minimal traces on your hard drive. First documented by Elastic Security Labs in early 2025, CASTLESTEALER represents a troubling evolution in malware design—it's encrypted, compressed, and executed without ever being fully written to disk as a standalone file.

CASTLESTEALER — cybersecurity illustration
Photo by Miguel Á. Padriñán on Pexels
Think you're infected right now? Disconnect from the internet immediately (unplug Ethernet or disable Wi-Fi). Do not log into any accounts, banking sites, or email until the infection is removed. CASTLESTEALER is actively harvesting credentials and session tokens while it runs. Call us at (770) 856-1705 or bring your machine to our Roswell shop today—we offer same-day malware removal with a 90-day reinfection warranty.

Threat Profile

Malware Family CASTLESTEALER
Classification Information Stealer / Credential Harvester
Platform Windows (all modern versions)
File Type Windows PE executable (.exe) delivered as encrypted .NET assembly
Execution Method Reflective in-memory loading via DonutLoader-generated shellcode
First Documented Early 2025 (Malpedia updated June 2026)
Detection Names CASTLESTEALER, variants detected as generic .NET loaders by some engines
Typical Delivery Vector OXLOADER malware loader (phishing attachments, trojanized software)
C2 Communication AES-encrypted channels with hard-coded reusable key
Primary Targets Browser credentials, email accounts, cryptocurrency wallets, session tokens
Detection Difficulty High—minimal disk footprint, in-memory execution evades many scanners
Persistence Mechanism Varies by deployment; often relies on loader for re-injection

How It Spreads

CASTLESTEALER doesn't arrive on your system by itself—it's almost always delivered by a separate piece of malware called OXLOADER, which acts as a dropper. The typical infection chain starts with a phishing email containing a weaponized attachment (Office documents with malicious macros, ZIP archives with disguised executables) or a link to a trojanized software installer. Once OXLOADER gains execution on your machine, it downloads the encrypted CASTLESTEALER payload, decompresses it, and injects it directly into memory without ever writing the complete malware to your hard drive. This technique, called "fileless" or "in-memory" execution, allows the threat to evade traditional antivirus scans that rely on scanning files on disk.

The sophistication of this delivery mechanism means you won't see a suspicious file sitting in your Downloads folder. By the time you notice anything wrong—sluggish performance, unusual network activity, or compromised accounts—the stealer has likely already completed its mission and exfiltrated your data. The use of DonutLoader-generated shellcode (a technique borrowed from penetration testing tools) further complicates detection, as the payload is wrapped in layers of obfuscation that appear benign to signature-based security tools.

Common distribution vectors include:

  • Phishing emails with infected attachments claiming to be invoices, shipping notices, or urgent security alerts
  • Malicious Office documents that prompt you to "Enable Macros" or "Enable Content" to view the document properly
  • Trojanized software installers disguised as legitimate applications (productivity tools, system utilities, game cracks)
  • Compromised websites serving drive-by downloads through exploit kits targeting outdated browser plugins
  • Software supply chain attacks where legitimate update mechanisms are hijacked to distribute the OXLOADER payload
  • Pirated software bundles and key generators downloaded from untrustworthy sources

What It Does On Your Machine

Once CASTLESTEALER is reflectively loaded into memory—typically injected into a legitimate Windows process to avoid suspicion—it immediately begins harvesting sensitive information. As a .NET-based stealer, it targets data stores commonly used by Windows applications: browser credential databases, email client configuration files, cryptocurrency wallet files, and application session tokens. The malware systematically enumerates installed browsers (Chrome, Firefox, Edge, Opera, Brave) and extracts saved passwords, autofill data, credit card information, and browsing history. It also targets browser session cookies, which allow attackers to hijack your authenticated sessions on websites without needing your password.

The stolen data is encrypted using AES before being transmitted to the attacker's command-and-control server. According to Elastic Security Labs' research, CASTLESTEALER samples reuse the same hard-coded AES key across multiple campaigns—a programming shortcut that aids researchers but doesn't diminish the threat to victims. The encryption ensures that network monitoring tools won't easily detect the exfiltration, and the use of HTTPS for C2 communications further conceals the malicious traffic among normal web activity.

Beyond credential theft, CASTLESTEALER often collects system reconnaissance data: installed software lists, running processes, security product information, and network configuration details. This intelligence helps attackers understand your environment and plan follow-up attacks. In some observed infections, the malware has also captured screenshots and keystrokes, though these capabilities vary depending on the specific variant deployed. The stealer operates silently without displaying error messages or obvious symptoms, though you may notice increased memory usage by legitimate processes (like svchost.exe or explorer.exe) if the payload is injected into them.

# Observed behavioral artifacts (from sandbox analysis): Memory injection target processes (varies by deployment): C:\Windows\System32\svchost.exe C:\Windows\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe Typical data harvesting targets: %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data %APPDATA%\Mozilla\Firefox\Profiles\*.default\logins.json %APPDATA%\Opera Software\Opera Stable\Login Data %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data C2 communication characteristics: AES-encrypted POST requests to remote servers Hard-coded encryption key reused across samples HTTPS traffic to evade network inspection # Note: Because execution is primarily in-memory, traditional file-based IOCs # are limited. Forensic analysis requires memory dumps and process monitoring.

Manual Removal — Step by Step

01

Disconnect from the Internet

Immediately disable all network connections—unplug Ethernet cables and turn off Wi-Fi. This prevents CASTLESTEALER from exfiltrating any additional data and receiving further commands from its C2 server. Do not reconnect until the removal process is complete.

02

Boot Into Safe Mode with Networking

Restart your computer and press F8 repeatedly during boot (Windows 10/11: hold Shift while clicking Restart, then navigate to Troubleshoot > Advanced Options > Startup Settings > Restart > press 5 or F5 for Safe Mode with Networking). This loads only essential Windows components and may prevent the OXLOADER dropper from re-injecting CASTLESTEALER.

03

Run a Full Scan with Updated Security Software

Update your antivirus definitions (you'll need to temporarily re-enable internet for this) and run a complete system scan. While CASTLESTEALER itself may evade detection due to its in-memory execution, good security software should identify the OXLOADER dropper or other artifacts. Use multiple scanners if possible—Malwarebytes, Windows Defender, and HitmanPro are all good options.

04

Check for Suspicious Processes and Startup Items

Open Task Manager (Ctrl+Shift+Esc) and examine running processes for anything unfamiliar, especially processes consuming unusual amounts of memory. Use Task Manager's Startup tab or run msconfig to review programs configured to launch at boot. Disable any entries you don't recognize, but be cautious—legitimate Windows services may have cryptic names.

05

Inspect Common Persistence Locations

Press Win+R, type shell:startup, and delete any suspicious shortcuts. Then check registry run keys by opening regedit and examining HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for unfamiliar entries pointing to executables in Temp folders or randomly named directories.

06

Clear Browser Data and Extensions

Because CASTLESTEALER targets browser credentials and session tokens, open each installed browser and remove all extensions you didn't intentionally install. Clear all cookies, cached data, and saved passwords. Yes, this means you'll need to log back into websites, but any saved credentials are now compromised and must be changed anyway.

07

Change All Passwords from a Clean Device

Use a different computer or smartphone (not the infected machine) to change passwords for every important account—email, banking, social media, work accounts, and any sites where you've stored payment information. Enable two-factor authentication wherever possible. Assume every credential stored in your browsers has been stolen.

08

Monitor Financial Accounts and Credit

Check bank and credit card statements for unauthorized transactions. Consider placing a fraud alert or credit freeze with the major credit bureaus (Equifax, Experian, TransUnion). Information stealers are often used to facilitate identity theft, so ongoing vigilance is essential even after technical remediation.

09

Verify Complete Removal

After performing the above steps, restart your computer normally (not in Safe Mode) and run additional scans with multiple security tools. Monitor Task Manager for several days to ensure no suspicious processes reappear. Check your browser's network activity using developer tools (F12 > Network tab) to verify no unauthorized connections are being made.

10

Consider Professional Remediation

If you're uncertain about any step, or if scans continue to detect threats after following this process, professional assistance is strongly recommended. CASTLESTEALER's in-memory execution and sophisticated loader make it difficult to remove without specialized tools and expertise. The cost of incomplete removal—ongoing data theft, reinfection, or identity fraud—far exceeds the cost of professional malware removal.

Prevention

  1. Never enable macros in Office documents from unknown sources, even if the document claims you must enable them to view the content. Legitimate businesses don't send macro-enabled documents to customers.
  2. Keep Windows and all software updated with the latest security patches. Enable automatic updates for your operating system, browsers, and all applications. Many infections exploit known vulnerabilities that have been patched for months or years.
  3. Use comprehensive security software with real-time protection, and ensure it includes behavioral detection and memory-scanning capabilities. Signature-based detection alone won't catch sophisticated threats like CASTLESTEALER that operate in memory.
  4. Verify email senders carefully before opening attachments or clicking links. Hover over sender addresses to see the full email—attackers often use addresses that look almost legitimate (support@micros0ft.com instead of microsoft.com). When in doubt, contact the supposed sender through a known-good phone number or website, not by replying to the suspicious email.
  5. Don't download software from untrustworthy sources, including torrent sites, key generator pages, or random download portals. Pirated software is a primary distribution method for loaders like OXLOADER. Download applications only from official vendor websites or reputable stores (Microsoft Store, Apple App Store).
  6. Use a password manager instead of browser-saved passwords. While CASTLESTEALER can potentially target password managers too, quality password managers use additional encryption layers and master passwords, making bulk credential theft more difficult. They also make it practical to use unique passwords for every site.
  7. Implement network segmentation if you run a business. Keep financial workstations and systems handling sensitive data on separate network segments with restricted internet access. This limits an infection's ability to spread and reduces the attack surface.
  8. Educate everyone who uses your computers about phishing tactics and social engineering. Technical controls are important, but human vigilance is your first line of defense. Regular security awareness training significantly reduces successful phishing attacks.
Our 90-Day Reinfection Warranty: When Computer Repair Roswell removes malware from your system, we stand behind our work. If the same infection returns within 90 days, we'll re-clean your machine at no additional charge. We use enterprise-grade tools and techniques to ensure complete eradication—not just symptom suppression.

Bring It In

CASTLESTEALER represents exactly the kind of threat that's difficult for home users and even small business IT staff to fully remediate without specialized training and tools. Its in-memory execution, sophisticated loader, and data exfiltration capabilities require forensic-level analysis to ensure complete removal. While the manual steps above can address typical infections, there's always uncertainty with fileless malware—did you really get all the components? Is the OXLOADER dropper completely gone? Have all persistence mechanisms been eliminated?

At Computer Repair Roswell, we see these advanced infections regularly and have the diagnostic equipment and expertise to definitively answer those questions. Our malware removal service includes memory forensics, network traffic analysis, and thorough post-remediation verification that goes beyond what consumer antivirus software can provide. We're located right here in Roswell, Georgia, and most malware removals are completed same-day. Call us at (770) 856-1705 or stop by our shop—we'll evaluate your system, explain exactly what we find, and provide a flat-rate quote before beginning any work. Don't let uncertainty about incomplete removal put your financial accounts and personal information at continued risk.