Fake Google Ads Deliver New Malware Loader and Credential Stealer 

Cybercriminals are once again using trusted platforms to spread malware.

Researchers have uncovered a new campaign using fake Google Ads to distribute a previously unknown malware loader called OXLOADER, which ultimately delivers the CastleStealer information-stealing malware.

The attack targets users searching for legitimate software, such as Node.js. Victims are redirected to convincing fake websites where a malicious installer appears legitimate while secretly downloading malware in the background.

What makes this threat concerning is its use of advanced evasion techniques, including code obfuscation, anti-virtual machine checks, and abuse of legitimate cloud storage services to avoid detection. Once installed, CastleStealer can harvest credentials, browser data, and other sensitive information.

What Businesses Should Do

• Verify software downloads come directly from official vendor websites.
• Be cautious when clicking sponsored search results or advertisements.
• Ensure endpoint protection and application controls are in place.
• Regularly monitor for unusual credential activity.
• Provide security awareness training so employees can recognize fake download pages.

While Google has removed the malicious advertising campaign, attackers continue to adapt their techniques. This serves as another reminder that even trusted platforms can be abused to deliver malware.

Britec helps businesses reduce risk through layered cybersecurity, proactive monitoring, and user awareness training.