Cybersecurity researchers have detailed a new campaign that uses a previously unreported malware loader called OXLOADER to deliver CastleStealer, with malicious Google ads and a fake Node.js site used as the initial lure.
KEY FACTS
- Campaign The activity is tracked as REF8372 and appears financially motivated.
- Initial lure Victims searching for terms such as “lts version of node.js” were redirected to a fake site through bogus ads.
- Delivery chain The site served a batch script from Storj that downloaded and ran OXLOADER.
- Payload OXLOADER used DLL side-loading to decrypt and execute CastleStealer.
- Scope The ad account and related campaigns were removed from Google on May 14, 2026.
In a technical analysis, Elastic Security Labs said the loader uses control-flow flattening, opaque predicates, mixed Boolean-Arithmetic, and self-modifying decryption stubs to hide its activity. The report also says the code abuses the Windows .reloc section to stage shellcode.
The attack flow began with a search-engine ad that led to a fake domain posing as a Node.js-related download page. Users who interacted with the site were shown a bogus installation wizard while a Storj-hosted batch script fetched the next-stage executable and launched it with elevated privileges to trigger a Windows User Account Control prompt.
The same chain then used DLL side-loading to run a rogue library that decrypted and executed CastleStealer. The report says the campaign includes exclusions intended to avoid infecting machines in CIS countries, which suggests the operators are likely Russian-speaking.
WHY IT MATTERS
The campaign shows how attackers are mixing malicious ads, legitimate cloud services, and layered obfuscation to make detection harder. It also highlights how loaders can be used to deliver information-stealing malware while limiting exposure in selected regions.