THE article discusses the discovery of a new malware loader named OXLOADER, which delivers the CASTLESTEALER infostealer targeting Windows users through malicious Google Ads that impersonate Node.js downloads. This campaign, tracked as REF8372, utilizes a legitimate file-sharing service for hosting and employs advanced obfuscation techniques to evade detection by antivirus software.
OXLOADER conducts multiple checks to avoid analysis, including verifying system specifications, and it manipulates a Windows system DLL to execute its payload. The importance of caution when interacting with sponsored search results and tips for defending against such threats are also highlighted.