New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer

Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidence indicates that the threat actor is likely Russian-speaking and financially motivated, owing to the

The article describes a malvertising campaign (REF8372) where attackers use malicious Google Ads impersonating Node.js to lure users onto a fake download site, which then serves a Storj-hosted batch script that downloads and executes a new Windows loader called OXLOADER and ultimately delivers the CastleStealer infostealer.[1][2][3][5] Researchers note that OXLOADER uses multiple layers of obfuscation and anti-VM techniques to evade both static detection and sandbox analysis, making it harder for defenders to analyze and block.[2] While the report does not mention AI components directly, CyberSE.AI analysis is that such stealthy, malvertising-driven loaders could later be used to deploy AI-powered tools for automated data theft, account takeover, or abuse of AI-enabled SaaS environments. Organizations using browser-based access to AI agents and cloud services should continuously red-team their environments against drive-by infection chains and malvertising vectors, validating that endpoint, browser, and ad-filtering controls effectively block similar campaigns.