Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER.
According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the presence of explicit exclusions to prevent infecting machines located in the Commonwealth of Independent States (CIS) region. The campaign has been codenamed REF8372.
“The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode,” researchers Daniel Stepanic and Jia Yu Chan said in a technical breakdown.
The attack begins when unsuspecting users enter queries such as “lts version of node.js” on search engines like Google, redirecting them to a fake website (“node-js[.]prentiva99[.]info”) surfaced via bogus ads published under the verified name “ВОЛОДИМИР ТЕРЕЩЕНКО” that’s purportedly based in Ukraine.
It’s currently unknown if the advertiser account is linked to the actual threat actor, or if it’s a front account or a purchased identity. The advertiser account, along with its ad campaigns, was removed from Google on May 14, 2026.
Users who end up interacting with the site are served a batch script hosted on Storj, a decentralized, open-source cloud storage platform. The abuse of Storj once again illustrates how threat actors continue to leverage legitimate services to evade domain-based reputation filters.
Running the batch script displays a bogus installation wizard user interface (UI), while stealthily downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER through a PowerShell command and executing it with -Verb RunAs to trigger a Windows User Account Control (UAC) prompt.
The attack then employs DLL side-loading to launch a rogue DLL, which then proceeds to decrypt and execute the CastleStealer payload. OXLOADER also makes use of techniques like control-flow flattening (CFF) and mixed Boolean-Arithmetic (MBA) to evade static detection, while also taking steps to ensure it’s not run on sandboxed environments.
CastleStealer is a .NET information stealer that was recently distributed alongside CastleLoader through a ClickFix-style lure masquerading as a free image-editing tool as part of a campaign codenamed BackgroundFix. CastleLoader is attributed to a threat activity cluster known as GrayBravo.
“OXLOADER is in an early operational phase, but the engineering behind it suggests this family is worth watching,” Elastic said. “The code obfuscation, anti-VM measures, benign-looking code used to masquerade its binaries, and unique staging techniques reflect deliberate engineering choices to evade analysis.”
“That investment is paying off, resulting in low detection rates across static engines and detonation runs, giving OXLOADER a window to operate before it gets hunted down.”
