CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 22, 2026

Hackers Impersonate Node.js Installer in Google Ads to Deploy Infostealer Malware

Cybersecurity News Archived Jun 22, 2026 ✓ Full text saved

Hackers are using fake Google Ads to push a brand-new malware loader that disguises itself as the popular Node.js installer. The campaign has been actively targeting Windows users in the United States, silently dropping a dangerous infostealer onto their machines after just a single click on what appears to be a legitimate sponsored search result. […] The post Hackers Impersonate Node.js Installer in Google Ads to Deploy Infostealer Malware appeared first on Cyber Security News .

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Impersonate Node.js Installer in Google Ads to Deploy Infostealer Malware By Tushar Subhra Dutta June 22, 2026 Hackers are using fake Google Ads to push a brand-new malware loader that disguises itself as the popular Node.js installer. The campaign has been actively targeting Windows users in the United States, silently dropping a dangerous infostealer onto their machines after just a single click on what appears to be a legitimate sponsored search result. The attack takes advantage of something millions of people do every day, searching for software online and trusting the top results. In this case, threat actors set up a malicious landing page built to look like an official Node.js platform. When a victim clicked the sponsored ad, they were quietly redirected through an intermediary domain to download a malicious Windows batch script hosted on a legitimate cloud file-sharing service, making it much harder for security tools to flag it. Researchers at Elastic Security Labs identified this active campaign and confirmed it was targeting one of their own customers.  Elastic Security Labs said in a report shared with Cyber Security News (CSN) that the loader, now tracked as OXLOADER, had not been publicly documented before and was operating with remarkably low detection rates across both static antivirus engines and automated sandbox environments. The campaign ran through Google Ads and the malicious advertiser account was registered under a verified name linked to Ukraine. The last time the ad appeared was April 23, 2026, and by May 14, 2026, Google had removed the advertiser and all associated campaigns entirely. What makes this attack particularly concerning is how seamlessly the threat actor blended into trusted platforms to deliver their payload without raising alarms. Advertiser’s profile on Google Ads Transparency Center (Source – Elastic) The final payload delivered through this chain is an infostealer called CASTLESTEALER, a .NET-based malware capable of harvesting sensitive data from infected systems. Security teams should treat sponsored search results for developer tools with extra scrutiny, ensure endpoint behavioral detection is active rather than just set to monitor mode, and always verify software downloads directly against official vendor websites. Hackers Impersonate Node.js Installer in Google Ads The infection chain begins when a user searches for the Node.js installer and clicks a sponsored result. That click sends the victim to a fake landing page built to mimic the real Node.js environment. Batch script downloading and launching OXLOADER (Source – Elastic) From there, a redirect through an intermediary domain delivers a batch script hosted on Storj, a legitimate cloud storage service the threat actors deliberately abused to bypass reputation-based filtering. The batch script goes a step further by displaying a convincing fake software installation wizard, giving the victim no reason to suspect anything is wrong. Behind that interface, it is silently downloading the next-stage executable using PowerShell and triggering a Windows User Account Control prompt to gain elevated system access. The entire experience is designed to feel like a routine software install. Elastic Defend alerts triggered upon script execution (Source – Elastic) A second variant of OXLOADER was also discovered on May 13, 2026, this time masquerading as a Node.js installer binary rather than API Monitor, though the underlying loader mechanism was completely identical. Researchers noted that the file retained the word “node” in its filename, likely to maintain the lure theme the campaign relied on throughout. How OXLOADER Evades Detection OXLOADER is built with evasion as a core feature. Before executing anything meaningful, it runs five separate checks to confirm it is not running inside a sandbox or virtual machine. Infection chain execution graph (Source – Elastic) These include checking for at least three CPU cores, at least 3 GB of physical RAM, a display refresh rate above 20 Hz, and verifying the system is not located in a CIS region or configured for the Russian language. The loader also uses sophisticated obfuscation techniques that break standard binary analysis tools, making reverse engineering slow and difficult. It hides malicious code inside the Windows .reloc section, a space legitimate programs never use for executable instructions, and unpacks itself in memory using self-modifying decryption routines. The final payload, CASTLESTEALER, is then delivered entirely in memory using an open-source shellcode generator called DonutLoader, leaving almost no trace on disk. Indicators of Compromise (IoCs):- Type Indicator Description Domain nodejs-preventive . .info Malvertising landing page Domain app . .miloyannopoulos . .com Malvertising redirector SHA-256 fdfc9780b3c67acac3ca1acfdc9a890dcfee2d5d58fbcef8eac3fc80aa1cf2b3 OXLOADER downloader and launcher (Bild0erSetup.bat) SHA-256 de2b7c7a9e7c006e7ca990e77e7dff9b8b73aa9e9e24b98a7f88d3b3fff7c2b3 OXLOADER downloader and launcher (Bild0erSetup.bat variant) SHA-256 ca99a9fd118f8a99a9bc99ca9bb9cdfc7cd3b3db9fbcd3fecd3fecd7fe9f0f6f apimonitor-x64.exe (OXLOADER) SHA-256 ce8f8dcb3ca9e9190fd7818f1e7ab87b9fc8f8e7fc88fee8fcc8f8e7fc88fee8 node-v20.7.0-x64.exe (OXLOADER) SHA-256 9a67a98fdc9e8e6e7886e9c0e8c668b87c0b66e8f07c8e1f7e89f7c8ca7e8cc8 CASTLESTEALER IPv4 52.78.2.74 CASTLESTEALER C2 IPv4 52.78.77.48 CASTLESTEALER C2 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Hackers Using Claude and OpenAI’s Codex for Exploitation, and Data Exfiltration Activities Hackers Abuse Legitimate RMM Tools to Maintain Persistent Access and Evade Detection Novo Nordisk Confirms Cyber Attack — Hackers Accessed Patient Medical Data and Internal AI Assets Hackers Breached Klue Integration to Steal Salesforce CRM Data via OAuth Tokens UNC3753 Uses Screen-Sharing Sessions and RMM Tools to Exfiltrate Sensitive Legal Data Latest News Cyber Security News Malicious JetBrains and VS Code Extensions Steal OpenAI, Anthropic, and DeepSeek API Keys Cyber Security Anthropic’s Mythos AI Model Reportedly Breached NSA Classified Systems in Hours Tech News Anthropic’s Claude AI Back Online After 90-Minute Global Outage Cyber Security News FortiBleed – Fortinet Warns of Active Credential Harvesting Campaign Targeting FortiGate Devices Cyber Security GentleKiller Ransomware Abuses Vulnerable Drivers to Disable 400+ EDR Security Processes
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 22, 2026
    Archived
    Jun 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗