OXLOADER: New Windows Loader Drops CASTLESTEALER via Google Ads
Published
Key Takeaways
- New Loader: Elastic Security Labs uncovered OXLOADER, a previously undocumented Windows loader delivering the CASTLESTEALER infostealer.
- Malvertising Vector: OXLOADER spreads via malicious Google Ads impersonating Node.js, with low detection across static engines and sandboxes.
- Likely Operator: CIS-region and Russian-language exclusions point to a financially motivated, Russian-speaking threat actor.
OXLOADER, a previously undocumented Windows loader, is delivering the CASTLESTEALER infostealer via Google Ads, evading static detection via the Windows .reloc section abuse, five anti-VM/language checks, and MBA obfuscation. Researchers say CIS-region exclusions point to a financially motivated, Russian-speaking threat actor.
How OXLOADER Delivers CASTLESTEALER
OXLOADER reaches victims through malvertising via Google Ads. The same malware was delivered by masquerading as a Node.js installer and an API Monitor. Elastic Security Labs researchers are tracking the activity as REF8372.
For instance, targets searching for an LTS version of Node.js clicked a sponsored result leading to a fake landing page, then a Storj-hosted batch script that downloaded and launched the loader with a UAC elevation prompt.
The loader leans on heavy obfuscation to evade static detection, including control-flow flattening (CFF), mixed Boolean-Arithmetic (MBA), and opaque predicates. It runs five environment checks before proceeding:
- an emulation test via WNetAddConnection2W,
- a CPU count threshold,
- a RAM check,
- a display refresh rate check,
- geographic exclusions for CIS GEOIDs and a Russian language check.
Staging Techniques and Detection
For staging, OXLOADER abuses the Windows .reloc section to host shellcode and copies the DLL to a randomly named .ocx file. The next stage is built with DonutLoader, which wraps the CASTLESTEALER infostealer (which Huntress recently discovered) as position-independent code (PIC) for in-memory execution.
Last week, malicious Steam Workshop wallpapers were seen hijacking accounts via Wallpaper Engine to distribute DarkKomet, Lumma, Vidar, and RenEngine.
Early this month, an RAlord affiliate was reportedly banned for breaking CIS ransomware rules after infecting Eriell Group. May reports outlined that threat actors leveraged Google Ads and Claude.ai shared chats to distribute Mac malware.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular