A new malware loader dubbed OXLOADER has been observed distributing the CASTLESTEALER infostealer through malicious Google Ads that masquerade as legitimate Node.js downloads, according to findings released by Elastic Security Labs. The campaign, first detected in mid‑June 2026 and still active as of late June, primarily targets Windows users, with a noticeable focus on Russian‑speaking victims. By poisoning sponsored search results, attackers trick users into downloading a batch script that initiates the multi‑stage infection chain.
OXLOADER begins its attack chain when a victim clicks a malicious advert and retrieves a hosted batch file from a legitimate file‑sharing service. This script launches the loader, which then performs a series of anti‑analysis checks, including verification of system specifications and detection of virtual machine environments, to avoid sandboxes. The loader employs sophisticated obfuscation, self‑modifying code, and abuses the Windows .reloc section to execute its payload without triggering traditional antivirus signatures.
Once the loader is active, it delivers CASTLESTEALER, an infostealer designed to harvest credentials from web browsers, cryptocurrency wallets, and email clients, as well as collect system information and screenshots. The stolen data is packaged and exfiltrated to attacker‑controlled servers via encrypted channels. Elastic’s analysis notes that the malware’s use of trusted hosting services and its low detection rate make it particularly stealthy in the wild.
The operation appears to be financially motivated, although no specific threat actor has been attributed to the campaign. Its reliance on malicious advertising demonstrates a shift toward leveraging legitimate platforms for initial access, a technique that has proven effective in bypassing user trust and traditional URL filtering. The campaign’s focus on Russian‑speaking users suggests a tailored approach, possibly to maximize the value of harvested data in regional underground markets.
Defenders should treat any sponsored search result with caution, verifying the destination URL before downloading files and avoiding execution of batch scripts or executables from unverified sources. Enforcing application control policies that block the execution of files from temporary internet folders and restricting the use of Windows Script Host can reduce the risk of initial infection. Keeping endpoint protection solutions up to date and enabling behavior‑based detection mechanisms will help identify the loader’s atypical memory manipulation and DLL tampering.
Organizations should also monitor for unusual modifications to system DLLs, especially changes to the relocation section, and alert on outbound connections to newly observed domains or IP addresses associated with known file‑sharing services. Educating users about the dangers of clicking on advertisements in search results and encouraging the use of ad‑blocking browsers can further reduce exposure. By combining technical controls with user awareness, security teams can better defend against this evasive loader and its payload.