Elastic Security Labs has uncovered a new malware campaign — codenamed REF8372 — that uses malicious Google Ads to deliver a previously unseen loader called OXLOADER, which then installs the CastleStealer information stealer on victim machines.
It starts with a search query. Users searching for things like “lts version of node.js” on Google are served a bogus ad under the verified name of a Ukrainian individual, redirecting them to a fake website. From there, users download a batch script hosted on Storj, a decentralized cloud storage platform — a tactic that helps attackers bypass domain reputation filters.
The batch script displays a fake installation wizard while silently downloading OXLOADER via PowerShell. The malware uses DLL side-loading to launch a rogue DLL, which then decrypts and executes the CastleStealer payload. Heavy obfuscation — control-flow flattening, mixed Boolean-Arithmetic, self-modifying decryption stubs — helps it evade static detection.
OXLOADER explicitly avoids infecting machines in the Commonwealth of Independent States, suggesting a Russian-speaking operator. It abuses the Windows .reloc section to stage shellcode. Low detection rates across antivirus engines show these techniques are working.
CastleStealer is a .NET-based info stealer recently linked to campaigns distributed through a ClickFix-style lure. The broader CastleLoader ecosystem has been attributed to a cluster called GrayBravo.
OXLOADER appears to be in early operation, but Elastic says the engineering quality makes it worth watching closely.
