OXLOADER Malware Delivers CastleStealer via Malicious Google Ads

Cybersecurity researchers have disclosed a new malware loader, OXLOADER, which delivers the CastleStealer infostealer through malicious Google Ads. Elastic Security Labs identified the campaign, noting its use of the loader as a novel attack vector.

The campaign is likely operated by a Russian-speaking threat actor with financial motivations. The severity lies in the use of trusted advertising platforms to distribute malware, bypassing traditional security filters. Details on the number of affected systems or CVSS score were not provided.

OXLOADER acts as a loader to deploy CastleStealer, an information stealer that targets credentials and sensitive data. The attack chain begins with a user clicking a malicious Google Ad, which redirects to a landing page hosting the loader. Indicators of compromise were not detailed in available sources.

Elastic Security Labs recommends users exercise caution with online ads and maintain updated security software. No specific patches or workarounds were mentioned in the disclosure. Organizations are advised to monitor for unusual ad clicks and implement ad-blocking tools as a precaution.

Attribution to a Russian-speaking group suggests ongoing threats from financially-driven actors. The broader trend of malware distribution via legitimate platforms highlights the need for continuous vigilance in advertising ecosystems.