Cybercriminals have launched a deceptive campaign using fake Google Ads to spread a new malware loader, camouflaged as the well-known Node.js installer. This attack specifically targets Windows users in the United States, aiming to surreptitiously install an infostealer on their systems with a single click on what seems to be a legitimate advertisement.
Exploiting Trust in Online Search
This malicious operation exploits the common practice of searching for software online and trusting top search results. Attackers crafted a landing page that convincingly mimics the official Node.js site. Upon clicking the ad, users are redirected through an intermediary site to download a harmful Windows batch script from a reputable cloud file-sharing platform, making it challenging for security systems to detect.
Elastic Security Labs discovered this campaign, which had already targeted one of their customers. The malware loader, now named OXLOADER, had previously gone undocumented and proved difficult for antivirus tools and sandbox environments to detect.
Details of the Malicious Campaign
Operating through Google Ads, the campaign’s advertiser account was registered with a verified name linked to Ukraine. Although Google removed the advertiser and related ads by mid-May 2026, the ads ran until late April 2026. The attack’s stealthy execution on trusted platforms without raising security alerts is particularly alarming.
The final payload, an infostealer called CASTLESTEALER, is a .NET-based malware capable of extracting sensitive information from compromised systems. Security teams are advised to scrutinize sponsored search results, ensure active endpoint behavioral detection, and verify all software downloads directly from official vendor websites.
OXLOADER’s Sophisticated Evasion Techniques
OXLOADER incorporates advanced evasion methods, conducting multiple checks to ensure it is not operating within a sandbox or virtual environment. These checks include verifying CPU cores, physical RAM, display refresh rates, and geographic or language settings.
The malware uses obfuscation tactics to hinder standard binary analysis, concealing malicious code in unconventional locations within the Windows operating system. The payload, CASTLESTEALER, is delivered entirely in memory using DonutLoader, an open-source shellcode generator, leaving minimal trace on disk.
Conclusion and Future Precautions
This campaign underscores the necessity for heightened vigilance when interacting with online ads and downloading software. Security professionals must remain alert to such sophisticated threats that exploit trusted platforms and employ advanced evasion techniques. Continuing to enhance detection technologies and user awareness will be critical in countering similar cyber threats in the future.
