Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: oxloader (1 article)Clear

OXLOADER malvertising poses as Node.js installer to drop an infostealer

Elastic Security Labs detailed OXLOADER, a previously undocumented Windows loader that reaches victims through malicious Google Ads impersonating the Node.js download page and other developer tools. A developer searching for Node.js clicks a sponsored result, lands on a convincing fake site, and runs a script that quietly installs the loader, which then deploys an in-memory infostealer called CastleStealer to harvest credentials and other data. OXLOADER is heavily obfuscated, runs several anti-analysis checks, and skips machines set to Russian or in Russian-aligned regions, pointing to a financially motivated Russian-speaking operator. Google removed the advertiser account, but the technique of buying ads against developer searches remains widespread.

Check
Remind developers and staff not to install tools from sponsored search ads, and check endpoints for unexpected installs that began with a downloaded Node.js or developer-tool installer from a non-official site.
Affected
Developers and technical users who search for tools like Node.js and click sponsored ads leading to fake download sites; the payload is an infostealer that harvests credentials and sensitive data.
Fix
Download developer tools only from official project sites or package managers, use ad-blocking or DNS filtering to cut malvertising, and deploy endpoint detection that flags in-memory loaders and credential-stealing behavior.