New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer

Cybersecurity researchers have identified a new malware loader named OXLOADER, which is being used to distribute the CastleStealer information-stealing malware. Elastic Security Labs reported on March 14, 2024, that this campaign utilizes malicious Google Ads to initiate the distribution process. Analysis of the campaign suggests the threat actor is likely Russian-speaking and motivated by financial gain, as evidenced by the targeting of specific financial information and the use of Russian-language lures. OXLOADER is a previously undocumented loader that appears to be designed to evade detection by security software. The malware's primary objective is to steal sensitive data, including credentials, financial information, and other personal data from infected systems. The use of Google Ads as an initial access vector is a common tactic employed by threat actors to reach a broad audience, often tricking users into downloading malicious files by posing as legitimate software or services. The discovery of OXLOADER highlights the evolving tactics and techniques used by cybercriminals to deploy their malicious payloads.