[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fD6F5FknXGiHkR0zl8zSrM0CS8CsRiUzQg19I23Kpm4I":3},{"article":4,"iocs":44},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":31},"4c536581-7d46-4c24-be28-402820791ad1","New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer","new-oxloader-loader-uses-malicious-google-ads-to-deliver-castlestealer-dd93fd","Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the","A new malware loader named OXLOADER is being used to distribute the CastleStealer information stealer via malicious Google Ads. The campaign, codenamed REF8372, targets users searching for software like Node.js, redirecting them to fake websites. Threat actors are leveraging legitimate services like Storj and employing advanced obfuscation techniques to evade detection.","New OXLOADER malware loader uses malicious Google Ads to distribute CastleStealer.","New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer Ravie LakshmananJun 22, 2026Malvertising \u002F Endpoint Security Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the presence of explicit exclusions to prevent infecting machines located in the Commonwealth of Independent States (CIS) region. The campaign has been codenamed REF8372. \"The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode,\" researchers Daniel Stepanic and Jia Yu Chan said in a technical breakdown. The attack begins when unsuspecting users enter queries such as \"lts version of node.js\" on search engines like Google, redirecting them to a fake website (\"node-js[.]prentiva99[.]info\") surfaced via bogus ads published under the verified name \"ВОЛОДИМИР ТЕРЕЩЕНКО\" that's purportedly based in Ukraine. It's currently unknown if the advertiser account is linked to the actual threat actor, or if it's a front account or a purchased identity. The advertiser account, along with its ad campaigns, was removed from Google on May 14, 2026. Users who end up interacting with the site are served a batch script hosted on Storj, a decentralized, open-source cloud storage platform. The abuse of Storj once again illustrates how threat actors continue to leverage legitimate services to evade domain-based reputation filters. Running the batch script displays a bogus installation wizard user interface (UI), while stealthily downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER through a PowerShell command and executing it with -Verb RunAs to trigger a Windows User Account Control (UAC) prompt. The attack then employs DLL side-loading to launch a rogue DLL, which then proceeds to decrypt and execute the CastleStealer payload. OXLOADER also makes use of techniques like control-flow flattening (CFF) and mixed Boolean-Arithmetic (MBA) to evade static detection, while also taking steps to ensure it's not run on sandboxed environments. CastleStealer is a .NET information stealer that was recently distributed alongside CastleLoader through a ClickFix-style lure masquerading as a free image-editing tool as part of a campaign codenamed BackgroundFix. CastleLoader is attributed to a threat activity cluster known as GrayBravo. \"OXLOADER is in an early operational phase, but the engineering behind it suggests this family is worth watching,\" Elastic said. \"The code obfuscation, anti-VM measures, benign-looking code used to masquerade its binaries, and unique staging techniques reflect deliberate engineering choices to evade analysis.\" \"That investment is paying off, resulting in low detection rates across static engines and detonation runs, giving OXLOADER a window to operate before it gets hunted down.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  DLL side-loading, Elastic Security Labs, Google Ads, Information Stealer, malvertising, Malware, powershell ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fnew-oxloader-loader-uses-malicious.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEi8sz7SHbQd4E8HNEKbvGGSYhPpJrUydP_gCRt_mWYYTr6QHLmChyphenhyphenca6BXhLBXA4OyKw-eS9xbqRqpKcYWFqDp4HoLBYKjVdWzhF0K1pqjX2bPtB91y1P1PZ8gh5r7Bpp-PIeUJVi_Hki91Qf6YjFAtFmf-qh7V9gNzmbEh_A2lISCvCDnNMALAuiqAlkL_\u002Fs1600\u002Floader.jpg","2026-06-22T13:20:12+00:00","2026-06-22T14:00:14.890034+00:00",8,[18,21,23],{"name":19,"type":20},"Google","vendor",{"name":22,"type":20},"Elastic",{"name":24,"type":25},"Storj","technology","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":26,"icon":28,"name":29,"slug":30},null,"Malware","malware",[32,37,39],{"category":33},{"id":34,"icon":28,"name":35,"slug":36},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":38},{"id":26,"icon":28,"name":29,"slug":30},{"category":40},{"id":41,"icon":28,"name":42,"slug":43},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[45],{"type":46,"value":47,"context":48},"domain","node-js[.]prentiva99[.]info","Fake website used in the campaign."]