New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer
New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer
https://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html
Publish Date: 2026-06-22 09:20:00
Source Domain: thehackernews.com
Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER.
According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the presence of explicit exclusions to prevent infecting machines located in the Commonwealth of Independent States (CIS) region. The campaign has been codenamed REF8372.
“The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode,” researchers Daniel Stepanic and Jia Yu Chan said in a technical breakdown.
The attack begins when unsuspecting users enter queries such as “lts version of node.js” on search engines like Google, redirecting them to a fake website (“node-js[.]prentiva99[.]info”) surfaced via bogus ads published under the verified name “ВОЛОДИМИР ТЕРЕЩЕНКО” that’s purportedly based in Ukraine.
It’s currently unknown if the advertiser account is linked to the actual threat actor, or if it’s a front account or a purchased identity. The advertiser account, along with its ad campaigns, was removed from Google on May 14, 2026.
Users who end up interacting with the site are served a batch script hosted on Storj, a decentralized, open-source cloud storage platform. The abuse of Storj once again illustrates how threat actors continue to leverage legitimate services to evade domain-based reputation filters.
Running the batch script displays a bogus installation wizard user interface (UI), while stealthily downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER through a PowerShell command and executing it with -Verb RunAs…
