Elastic Security Labs has disclosed two previously undocumented malware families — a loader called OXLOADER and its infostealer payload CastleStealer — being distributed through malicious Google Ads targeting users who search for popular software. The campaign is attributed to a financially motivated Russian-speaking threat group and represents the first time either malware family has been publicly named.
Discovery and Attribution
Elastic Security Labs identified OXLOADER and CastleStealer during threat hunting operations and concluded the campaign is the work of a financially motivated, Russian-speaking threat actor. Attribution rests on analysis of the campaign’s infrastructure, command syntax embedded in the malware, and targeting patterns consistent with Russian-language cybercriminal operations. The group has not been assigned a public name in Elastic’s disclosure.
The decision to publish detailed findings on both malware families means that detection engineers and threat intelligence analysts worldwide can now build signatures and behavioral detections against them — previously impossible because neither family had a public profile.
How OXLOADER Reaches Victims
The infection chain begins with a paid advertisement in Google search results. When a user searches for a well-known software application and clicks a promoted result, they are redirected to a malicious landing page designed to impersonate a legitimate download site. From that page, the victim downloads OXLOADER, which serves as the campaign’s initial-access dropper.
Google Ads as OXLOADER’s Entry Point: Targeting Active Software Downloaders
OXLOADER’s role in the chain is to establish a foothold and deploy the next stage. Once executed on the victim’s machine, it retrieves and launches CastleStealer. The use of Google Ads as the distribution vector is significant: promoted search results carry an implicit authority signal for many users, and the ads can be precisely targeted by keyword — meaning the attacker can focus on people actively seeking software downloads, a group already primed to run an installer.
CastleStealer: What It Targets
CastleStealer is an infostealer built to harvest a specific and financially valuable set of data from infected systems. Its primary targets include credentials stored in web browsers, session cookies that can enable account takeover without requiring a password, financial account data, and files associated with cryptocurrency wallets.
CastleStealer Payload: Browser Sessions, Financial Accounts, and Crypto Wallet Files
The combination of session cookies and financial credentials gives the attacker multiple routes to monetization. Stolen session tokens can be used to bypass multi-factor authentication on email, banking, and corporate accounts. Cryptocurrency wallet files, depending on the wallet software in use, may allow direct fund transfer without further credential exploitation.
Elastic’s disclosure included technical indicators for both OXLOADER and CastleStealer, enabling the security community to retroactively search for prior infections and build prospective detections.
Malvertising as a Persistent Threat Vector
This campaign joins a pattern of malware distribution through poisoned search advertising that has grown steadily over the past several years. Malvertising via Google Ads has been used to distribute a range of infostealers and remote access tools because it requires no vulnerability exploitation — the attack succeeds entirely through social engineering at the moment a user clicks an ad they believe is legitimate.
The Google Ads platform has taken steps to reduce malicious advertising, but enforcement is reactive. Campaigns can run for days or weeks before being removed, and threat actors routinely rotate domains and ad accounts to extend operational lifespan after individual ads are flagged.
Impact and Takeaway
For organizations with employees who download software on work machines or work on personal devices connected to corporate networks, OXLOADER and CastleStealer represent a realistic threat path. A single successful infection can yield browser session cookies for corporate SaaS platforms, VPN credentials, and cloud service authentication tokens — any of which could give an attacker a foothold in an enterprise environment that began with a personal software download.
Elastic’s public disclosure shifts the detection calculus. Both malware families were invisible to the broader security community until this report. Organizations can now update endpoint detection rules, hunt for historical indicators of compromise in their telemetry, and monitor for the specific file and network artifacts Elastic documented. The campaign’s ongoing status at the time of disclosure means defensive action is immediately relevant.
