OXLOADER Malware Loader Delivers CASTLESTEALER via Malicious Google Ads

A new Windows loader named OXLOADER is delivering the CASTLESTEALER infostealer through malicious Google Ads. This previously undocumented malware employs advanced obfuscation techniques and abuses the Windows .reloc section to evade detection. Victims searching for Node.js were redirected to a fake landing page, leading to a batch script hosted on Storj that executed OXLOADER. The threat actor is believed to be a financially motivated Russian-speaking group, with the campaign targeting users in the CIS region. The malicious ads were removed from Google on May 14, 2026, but the threat remains active. The loader uses multiple anti-VM checks and sophisticated code-hiding techniques to avoid detection by security tools.

Key Points: • OXLOADER uses advanced obfuscation and evasion techniques to deliver CASTLESTEALER. • The malware is distributed through malicious Google Ads impersonating legitimate software. • Victims are primarily targeted in the CIS region by a Russian-speaking threat actor.