Malvertising — attacks using malicious online advertisements — represents one of the most difficult infection vectors to combat. Unlike email phishing, which requires active victim action (opening a message, clicking a link), malvertising can attack users during normal use of search engines or news portals. The OXLOADER/CastleStealer campaign detected by Elastic Security Labs raises the bar another level: attackers not only purchased fake ads in Google Ads, but created convincing imitations of software websites that deliver the malicious payload.
OXLOADER: How the New Loader Works
OXLOADER is a previously unknown loader — malware whose purpose is to silently download and execute the actual payload (CastleStealer) after infecting the victim's device. The loader is designed to evade detection by antivirus systems and sandbox analysis — it uses code obfuscation techniques, checks the execution environment for signs of analysis, and deploys the payload only after specific conditions are met.
The infection vector works as follows: a user searches Google for popular software (e.g., a developer tool, video editing application, or business software), and search results include a paid advertisement leading to a fake website imitating the official manufacturer's site. On this site, the user downloads an installer that actually contains OXLOADER.
CastleStealer: What Gets Stolen?
After installation by OXLOADER, CastleStealer proceeds to extract valuable data from the infected system. Typical targets for stealers of this class include:
- Passwords saved in browsers (Chrome, Firefox, Edge) and cryptocurrency wallets.
- Session cookies enabling account takeover without knowing the password.
- Payment card data saved in browsers.
- Application authentication tokens (Discord, Telegram, VPN).
- Configuration files with credentials (SSH keys, .env files, CI/CD configurations).
Stolen data is transmitted to attackers' Command and Control servers and can subsequently be sold on dark web forums or used directly to attack companies with whom the infected employee has professional contact.
Implications for Businesses: Risk of Compromise Through an Employee
The OXLOADER campaign is dangerous for B2B companies not only due to the direct threat to infected devices. Employees regularly download software — developers search for tools, marketing departments download graphic editors, administration searches for document management applications. If one of these downloads encounters a fake advertisement, stolen credentials can give attackers access to company systems, code repositories, cloud environments, or SaaS platforms.
Protection against malvertising requires a combination of employee training (URL verification before downloading, using official sites instead of ads), technical measures (DNS filtering, endpoint protection with sandboxing), and software management policies (central catalog of approved tools).
AbejaIT: Secure Online Advertising and Malvertising Protection
The OXLOADER campaign has dual significance for companies: as an employee security threat, but also as a warning signal for marketing departments using Google Ads. Fake ads impersonating brands erode trust in digital advertising and can lead to situations where customers searching for your company encounter malicious imitations.
At AbejaIT, we help companies manage advertising campaigns securely and effectively, while also advising on brand monitoring online and incident response related to company impersonation. Through our IT consulting services, we also support building security policies covering software management and malvertising protection. Malicious ads are a real threat — it pays to have processes that minimize them.
Secure Software Download Procedures for Companies
Every organization should have a documented software download and installation policy. Employees should know that work software is downloaded exclusively from official manufacturer websites — by directly typing the address, not through a search engine — and that installing new tools requires prior IT department approval. Browsers should have warnings about suspicious executable files enabled, and EDR systems configured to block suspicious installation processes.
Investing in centralized Software Asset Management (SAM) not only reduces security risk, but also simplifies license compliance and facilitates audits. Organizations with mature SAM have a complete picture of installed software, allowing rapid identification of potentially infected workstations after a new malware campaign is disclosed. The combination of technical controls, clear procedures, and regular training creates a multilayered defense against OXLOADER-type campaigns that is difficult to breach even for sophisticated attackers with well-prepared malicious advertising infrastructure and convincing fake sites. Building this capability requires sustained commitment, but organizations that do so consistently demonstrate lower incident rates, faster response times, and stronger security posture than those relying on any single technical control alone. The investment in these measures today is protection against losses many times higher tomorrow.
Source: The Hacker News