A malicious Google Ads campaign has been observed pushing a new loader called OXLOADER that delivers the CastleStealer infostealer to victims. The technique was first spotted on 18 June 2026 and remained active as of 22 June 2026.
The Hacker News reported that OXLOADER uses deceptive advertisements to lure users into downloading a batch script which then launches the loader. This classic malvertising chain bypasses many web‑based filters.
Elastic Security Labs analysis shows the loader employs sophisticated obfuscation and checks for virtual machine environments. It also uses self‑modifying code together with misuse of the Windows .reloc section to execute CastleStealer without triggering standard antivirus signatures.
Although no CVE has been assigned to this activity, the campaign primarily targets Russian‑speaking users. It has been seen delivering CastleStealer, an infostealer that harvests credentials, browser data and cryptocurrency wallet information from infected hosts.
Defenders should review web proxy logs for requests to unfamiliar ad domains and block known malicious IP ranges associated with the campaign. Endpoint detection rules ought to be tuned to catch self‑modifying behaviour and unusual use of the .reloc section. Keeping signatures up to date helps flag the loader before it can deploy its payload.
User training remains essential; staff should be warned not to execute unsolicited batch files that originate from ads. Organisations should also keep threat intelligence feeds current to spot similar malvertising tactics early.