OXLoader is a Windows-based malware loader that first appeared in underground forums in late 2023. Unlike older loaders that cast a wide net, OXLoader is sold as a private service to a limited number of threat actors, who use it to deliver banking trojans, information stealers, and ransomware payloads. If you've encountered suspicious Windows PE executable files in recent months—especially after opening email attachments or downloading software from unofficial sources—OXLoader may be the culprit behind follow-on infections. This article explains what OXLoader does, how it spreads, and how to remove it from your system.

OXLoader — cybersecurity illustration
Photo by John (Giannis) Tekeridis on Pexels
Think you're infected right now? Disconnect from the internet immediately. Do not log into any online accounts. OXLoader is designed to fetch and execute additional malware, so every minute online increases your risk. Call Computer Repair Roswell at (770) 594-9376 or bring your machine to our shop at 1295 Hembree Road. We'll run a full diagnostic and remove all stages of the infection.

Threat Profile

AttributeValue
Canonical NameOXLoader
PlatformWindows (all versions)
File TypeWindows PE executable (32-bit and 64-bit variants observed)
First ObservedQ4 2023
Distribution ModelPrivate malware-as-a-service (sold to select affiliates)
Primary FunctionStage-one loader (downloads and executes secondary payloads)
Known Aliasesoxloader (primary designation across detection engines)
Typical Payload FamiliesAgentTesla, FormBook, Vidar, LockBit (varies by customer)
Persistence MechanismRegistry Run keys, scheduled tasks, COM object hijacking (varies by version)
Detection RateModerate—signature-based AV detects older samples; newer polymorphic variants evade ~30–40% of engines (observed in sandbox)
Encryption/ObfuscationMulti-stage XOR and AES encryption of embedded payloads; string obfuscation; control-flow flattening
Active DevelopmentYes—regular updates to evasion techniques through 2024–2025

How It Spreads

OXLoader reaches victims through a combination of social engineering and direct exploitation. Because it's sold as a private service, distribution methods vary by affiliate, but the most common vectors involve email and software supply-chain compromise. Unlike self-propagating worms, OXLoader requires human interaction at some point—a click, a download, or a macro enable—to gain its initial foothold.

The phishing campaigns that carry OXLoader often impersonate shipping notifications, invoice reminders, or urgent security alerts from well-known brands. The emails include password-protected ZIP archives or Office documents with macros. The password is provided in the email body, a tactic designed to bypass automated sandboxes that cannot extract the payload without user input. Once the victim opens the document and enables macros (or double-clicks the extracted EXE), OXLoader executes silently in the background.

Common distribution vectors include:

  • Phishing emails with weaponized attachments—ZIP archives containing executable files or macro-enabled Office documents (XLSM, DOCM)
  • Malicious advertisements (malvertising)—fake software updates or codec installers on file-sharing sites and adult content portals
  • Software bundling—pirated software installers and cracked games from torrent sites, often repackaged by affiliates
  • Exploit kits—less common, but some OXLoader operators integrate the loader into drive-by-download chains targeting unpatched browsers
  • USB/removable media—targeted attacks in corporate environments sometimes use infected thumb drives left in parking lots or reception areas

What It Does On Your Machine

OXLoader's primary job is to establish persistence, evade detection, and contact a command-and-control server to download the next stage of malware. When you execute an OXLoader sample, it first checks whether it's running in a sandbox or virtual machine. It looks for artifacts like VMware tools, VirtualBox guest additions, and known sandbox process names. If it detects analysis software, it may exit immediately or enter a sleep loop to waste the sandbox's time budget. This anti-analysis behaviour is one reason detection rates remain moderate—many automated systems never see the loader's true behaviour.

Once satisfied it's running on a real user's machine, OXLoader drops a copy of itself into a system or user directory, often using a benign-sounding filename like svchost32.exe, UpdateCheck.exe, or RuntimeBroker.exe. It then establishes persistence by modifying the Windows Registry. The specific registry key varies by version, but common choices include the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key or a scheduled task configured to execute the payload every time the user logs in. Some variants use COM object hijacking to inject themselves into legitimate Windows processes.

After persistence is established, OXLoader beacons out to its command server. The C2 communication is often encrypted and may use domain generation algorithms (DGAs) or hardcoded IP addresses. The server responds with a URL pointing to the second-stage payload—an information stealer, a banking trojan, or ransomware, depending on the affiliate's goals. OXLoader downloads this payload, decrypts it in memory, and either injects it into a running process (process hollowing) or writes it to disk and executes it. From the user's perspective, nothing appears to happen—no windows open, no obvious slowdown—but the infection is now multi-stage, and every passing minute gives the follow-on malware more time to steal credentials, encrypt files, or spread laterally across your network.

# Sample behavioural IOCs observed in sandbox analysis: File dropped: C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Templates\svchost32.exe Registry modified: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdateC:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Templates\svchost32.exe DNS query (C2 contact): update-service[.]top HTTP request: hxxp://185.215.113[.]39/gate.php # Payload download endpoint Process injection target: RegAsm.exe # Legitimate .NET utility, hollowed by loader Mutex created: Global\{8F6D8A9B-4C3E-11EE-BE56-0242AC120002} # Prevents multiple instances

Manual Removal — Step by Step

01

Disconnect from the Internet

Unplug your Ethernet cable or disable your Wi-Fi adapter. This prevents OXLoader from downloading additional payloads and stops any already-installed malware from exfiltrating stolen data. Do not reconnect until the removal process is complete.

02

Boot into Safe Mode with Networking

Restart your computer and press F8 (or Shift+F8) repeatedly during startup. Select Safe Mode with Networking from the Advanced Boot Options menu. This loads Windows with only essential drivers, which prevents most malware—including OXLoader's persistence mechanisms—from starting automatically.

03

Run a Full System Scan with Updated Antivirus Software

If you have commercial antivirus software installed, update its definitions and run a full system scan. If you don't have AV, download Malwarebytes Free or Windows Defender Offline (on a clean machine, transfer via USB). Let the scan complete—this can take one to three hours. Quarantine or delete all detected threats. Note that because OXLoader uses polymorphic obfuscation, your AV may miss newer variants.

04

Check Registry Run Keys for Suspicious Entries

Press Win+R, type regedit, and press Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries with unfamiliar names or paths pointing to AppData\Roaming, Temp, or other user directories. Right-click and delete any suspicious entries. Be cautious—deleting legitimate startup programs here will prevent them from launching, but they can be re-added later.

05

Inspect Scheduled Tasks

Open Task Scheduler by typing taskschd.msc in the Run dialog. Expand Task Scheduler Library and review all active tasks. Look for tasks with random names, no description, or actions pointing to executables in user directories. Right-click suspicious tasks and select Delete. OXLoader often creates tasks that run at logon or every few minutes.

06

Delete Dropped Files Manually

Use File Explorer to navigate to common malware hiding spots: C:\Users\[YourUsername]\AppData\Roaming, C:\Users\[YourUsername]\AppData\Local\Temp, and C:\Windows\Temp. Sort by Date Modified and look for executable files created around the time you suspect infection. Delete any files with suspicious names like svchost32.exe, UpdateCheck.exe, or randomly generated names. If Windows prevents deletion, reboot into Safe Mode and try again.

07

Clear Browser Cache and Reset Browser Settings

OXLoader itself doesn't typically inject browser extensions, but the payloads it delivers often do. Open each installed browser (Chrome, Firefox, Edge) and clear all cached data, cookies, and browsing history. Reset browser settings to defaults. In Chrome, go to Settings → Reset settings → Restore settings to their original defaults. This removes any malicious extensions or modified search engines installed by follow-on malware.

08

Change All Passwords from a Clean Device

Because OXLoader often delivers credential stealers as its second-stage payload, assume all passwords stored on the infected machine have been compromised. Use a different computer, tablet, or smartphone to change passwords for email, banking, social media, and any other accounts. Enable two-factor authentication wherever possible. Do not log into sensitive accounts from the infected machine until you're certain the infection is fully removed.

09

Monitor for Reinfection

Restart your computer normally (not in Safe Mode) and observe its behaviour for 24–48 hours. Watch for unusual CPU usage, unexpected network activity, or new unknown processes in Task Manager. Run another full AV scan. If symptoms return or you see the same registry keys reappear, the infection likely has a rootkit component or you missed a persistence mechanism. At that point, consider a full operating system reinstall or professional remediation.

10

Update and Patch Your System

Once you're confident the infection is gone, run Windows Update and install all pending security patches. Update all installed software—especially browsers, Java, Adobe Reader, and Microsoft Office—to close the vulnerabilities OXLoader's delivery mechanisms exploit. Keeping your system patched is your first line of defense against reinfection.

Prevention

  1. Never enable macros in Office documents from unknown senders. If a document asks you to "Enable Content" or "Enable Editing" to view it, delete it immediately. Legitimate invoices and shipping notices do not require macros.
  2. Verify email sender addresses carefully. Phishing emails often use lookalike domains (e.g., fedex-delivery[.]com instead of fedex.com). Hover over links before clicking and inspect the actual URL in the status bar.
  3. Avoid downloading software from unofficial sources. Torrent sites, file lockers, and "free download" portals are common vectors for bundled malware. If you need software, download it directly from the publisher's website.
  4. Use a reputable antivirus solution with real-time protection. Free options like Windows Defender or Malwarebytes Free are better than nothing, but commercial AV suites with behaviour-based detection catch more zero-day loaders like OXLoader.
  5. Keep your operating system and all software up to date. Enable automatic updates for Windows, browsers, and plugins. Many OXLoader infections begin with exploit kits targeting unpatched vulnerabilities in Flash, Java, or old browser versions.
  6. Implement email filtering and attachment sandboxing. For small businesses, services like Proofpoint or Mimecast can quarantine suspicious attachments before they reach employees' inboxes. This prevents the initial infection vector from ever arriving.
  7. Use standard user accounts for daily work, not administrator accounts. If malware executes under a standard user account, it has limited ability to modify system-wide settings or install persistent rootkits. Reserve administrator privileges for software installation and system maintenance.
  8. Educate employees and family members about phishing. The weakest link in security is often the human one. Teach everyone in your household or office to recognize phishing emails, verify requests for sensitive information, and report suspicious messages instead of clicking links.
Our 90-Day Warranty: When you bring an infected machine to Computer Repair Roswell, we don't just remove the visible symptoms—we hunt down every stage of the infection, verify clean boot records, and restore safe operating conditions. If the same malware returns within 90 days, we'll re-clean your system at no additional charge. That's our commitment to complete remediation.

Bring It In

Manual removal of OXLoader is technically possible, but it's time-consuming and error-prone. Miss a single persistence mechanism—a hidden scheduled task, a COM hijack entry, or an injected DLL—and the infection returns the moment you reconnect to the internet. Worse, if OXLoader already delivered a second-stage payload before you began removal, you're now fighting a multi-family infection that may include rootkits, keyloggers, or ransomware precursors. That's a job for specialists with forensic-grade tools.

Computer Repair Roswell has removed hundreds of loader infections from home and business systems across North Fulton County. We use enterprise-grade malware scanners, offline forensic imaging, and manual registry audits to ensure every trace of the infection is gone. We'll also check for signs of data exfiltration, advise you on password resets, and apply security hardening to prevent reinfection. Call us at (770) 594-9376 or visit our shop at 1295 Hembree Road, Roswell, GA 30076. We'll get your machine clean, secure, and back to normal—usually within 24 hours, and always with our 90-day warranty.