Elastic Security Labs detailed OXLOADER, a previously undocumented Windows loader that reaches victims through malicious Google Ads impersonating the Node.js download page and other developer tools. A developer searching for Node.js clicks a sponsored result, lands on a convincing fake site, and runs a script that quietly installs the loader, which then deploys an in-memory infostealer called CastleStealer to harvest credentials and other data. OXLOADER is heavily obfuscated, runs several anti-analysis checks, and skips machines set to Russian or in Russian-aligned regions, pointing to a financially motivated Russian-speaking operator. Google removed the advertiser account, but the technique of buying ads against developer searches remains widespread.
BleepingComputer reports a fake Claude AI website is delivering a previously undocumented Windows malware called Beagle. The site impersonates Anthropic's Claude with a near-perfect clone of the official UI; visitors who click 'Download for Windows' get a Beagle installer rather than the legitimate Claude desktop app (Anthropic distributes Claude through claude.ai and the Mac App Store, not standalone Windows installers). Beagle harvests credentials from browsers, cryptocurrency wallets, Discord tokens, and SSH keys. Distribution is via Google Ads on Claude-related search terms - the same paid-placement abuse pattern hitting GoDaddy ManageWP, AWS, and Notion.
BleepingComputer reports a phishing campaign that bought Google Ads to push a fake GoDaddy ManageWP login page to the top of search results. ManageWP is GoDaddy's centralized dashboard for managing multiple WordPress sites - so a successful phish gives the attacker simultaneous access to dozens or hundreds of sites under one account. The fake page is a near-perfect clone of managewp.com hosted on a typosquat domain; victims who enter credentials are redirected to the real site to mask the theft. Same Google Ads abuse template used recently against AWS, Notion, and other developer-tool brands.