Researchers at Elastic Security Labs have published a technical analysis of a previously unknown malware loader, OXLOADER, which is used to deliver the CastleStealer infostealer via malicious Google advertising. The campaign, designated as REF8372, targets Windows users searching for popular software — in particular, Node.js. The loader uses advanced obfuscation and detection-evasion techniques, resulting in a low detection rate by antivirus engines. Organizations and individual users should check their systems for the published indicators of compromise and tighten controls over downloads initiated from search advertising.
Attack chain: from search ads to data theft
According to the researchers, the attack starts with malicious Google ads. Users who enter search queries such as “lts version of node.js” are redirected to a fake site, node-js[.]prentiva99[.]info, which imitates a legitimate resource. The ad campaigns were run through a verified advertiser account, but it remains unclear whether this account belonged directly to the attackers or was compromised or purchased. It is reported that Google removed the advertiser account and associated campaigns on May 14, 2026, although there is no official confirmation from Google in public sources.
When interacting with the fake site, the victim is served a batch script hosted on the Storj platform — an open-source decentralized cloud storage service. Using a legitimate service helps bypass domain reputation filters. The script displays a fake installation wizard interface while covertly downloading, via PowerShell, the OXLOADER executable from the same Storj hosting and launching it with the -Verb RunAs parameter, which triggers a Windows UAC privilege escalation prompt.
Next, OXLOADER uses DLL side-loading to launch a malicious library that decrypts and executes the final payload — the CastleStealer infostealer.
Technical characteristics of OXLOADER
The loader demonstrates a significant level of engineering sophistication. According to the researchers, OXLOADER employs several layers of obfuscation:
- Control-flow flattening (CFF) — makes static analysis of program logic more difficult
- Opaque predicates — insertion of bogus conditional branches to complicate decompilation
- Mixed Boolean-Arithmetic (MBA) obfuscation — masking computations
- Self-modifying decryption stubs — dynamic modification of code during execution
- Abuse of the .reloc section of Windows PE files to store shellcode
In addition to obfuscation, OXLOADER includes mechanisms for detecting sandboxes and virtual machines, which hinders automated analysis in isolated environments. Elastic Security Labs assesses that the loader is in an early stage of use, but already shows low detection rates both by static engines and under dynamic analysis.
CastleStealer is an infostealer written in .NET. It was previously distributed together with the CastleLoader loader as part of a campaign designated BackgroundFix, which used ClickFix-style lures disguised as a free graphics editor.
Indicators of compromise
Based on the published data, the following IOCs are available:
- Domain:
node-js[.]prentiva99[.]info - SHA-256 hash of the OXLOADER executable:
9a9939dff297997732aaade9b243d695632cbd64033c5fbcb9de3d09b7e6c28d(entry on VirusTotal)
Threat context and attribution
According to Elastic Security Labs, the malware contains explicit exclusions that prevent infection of machines in the Commonwealth of Independent States (CIS) region. This indirectly points to financial motivation on the part of the operators and their possible origin from the Russian-speaking space; however, this attribution remains preliminary and is not confirmed by independent sources. The identity of the advertiser whose account was used for the malicious ads has also not been established — the account may have been a front or purchased.
The REF8372 campaign fits into a persistent trend of abusing advertising platforms to distribute malware (malvertising). The use of Storj as payload hosting is another example of exploiting legitimate cloud services to bypass domain reputation–based defenses.
Impact assessment
The highest risk is faced by developers and system administrators who regularly download development tools via search engines. The CastleStealer infostealer can steal credentials, session tokens, and other sensitive information, creating risks both for individual users and for corporate environments — especially when workstations with access to internal resources are compromised.
Defense recommendations
- Check network logs for connections to the domain
node-js[.]prentiva99[.]infoand to Storj hosts with unusual download patterns - Add the published hash to detection rules in EDR solutions and SIEM
- Monitor the execution of PowerShell with the
-Verb RunAsparameter — this is an atypical method of privilege escalation for legitimate software - Monitor DLL side-loading events: loading of non-standard DLLs from temporary directories by legitimate executables
- Limit software downloads from ad links in search engines — use only official project websites (for Node.js,
nodejs.org) - Consider blocking ad results in corporate browsers via group policies or extensions
The REF8372 campaign shows that the OXLOADER loader, despite being in an early stage of development, already effectively evades both static and dynamic detection mechanisms. The key action for security teams is to feed the published IOCs into monitoring systems and strengthen control over the software download chain, especially in scenarios where PowerShell initiates privilege escalation after batch scripts from external sources are run. The full technical analysis is available in the Elastic Security Labs report.
