A newly identified malware loader called OXLOADER is being distributed via malicious Google Ads, ultimately delivering an information-stealing payload known as CastleStealer. The campaign is attributed to a likely Russian-speaking, financially motivated threat actor. This matters because malvertising via Google Ads is a highly effective initial access vector that bypasses traditional perimeter defences by exploiting trusted ad infrastructure.

Security Architect’s Take: Review and enforce DNS filtering and web proxy policies to block known malvertising domains, and consider deploying endpoint detection rules for OXLOADER behavioural indicators published by Elastic Security Labs. Ensure browser isolation or ad-blocking controls are in place for corporate endpoints, particularly for users with access to sensitive cloud credentials.

Original advisory: New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer