Researchers have disclosed details of a malvertising campaign, tracked as REF8372, that deploys a previously unreported malware loader dubbed OXLOADER to deliver the CastleStealer information stealer. The operation weaponizes Google Ads to lure victims through deceptive search results.
The attack chain begins when a user clicks on a malicious advertisement masquerading as a legitimate software download. The campaign has used fake Node.js ads to direct victims to sites hosting the OXLOADER payload on Storj's decentralized storage infrastructure. Once executed, OXLOADER retrieves and installs CastleStealer, a stealer known for harvesting browser credentials, session cookies, and cryptocurrency wallet data from compromised systems.
Pairing a novel custom loader with a known infostealer produces a more evasive attack toolkit. New loaders like OXLOADER can temporarily bypass security solutions that lack specific signatures, potentially raising a campaign's success rate until detection rules catch up.
Evidence indicates that the threat actor behind REF8372 is likely Russian-speaking and financially motivated. Malvertising remains a favoured tactic among cybercriminal operators, as it allows them to target users with high intent while circumventing traditional network defenses.
The discovery of OXLOADER underscores the continuing evolution of the initial access phase in the cyber kill chain. Analysts have noted that defenders must increasingly tune endpoint detection and response capabilities to identify multi-stage behavioral patterns associated with loaders, rather than relying solely on file-signature detection.
研究人員披露了一場代號為 REF8372 的惡意廣告攻擊活動詳情,該活動部署了一款先前未有報告的惡意軟件加載器 OXLOADER,用以傳遞 CastleStealer 資訊竊取程式。此行動利用 Google Ads 作為武器,透過具欺騙性的搜索結果引誘受害者。
攻擊鏈始於用戶點擊一個偽裝成合法軟件下載的惡意廣告。該攻擊活動曾利用虛假的 Node.js 廣告,將受害者引導至託管在 Storj 去中心化儲存基礎設施上、承載 OXLOADER 負載的網站。OXLOADER 一旦執行,便會下載並安裝 CastleStealer——一款以從受感染系統中竊取瀏覽器登入憑證、工作階段 cookie 及加密貨幣錢包數據而聞名的竊取程式。
將一款新穎的自訂加載器與一個已知的資訊竊取程式結合,產生了更具隱蔽性的攻擊工具組。像 OXLOADER 這類新加載器可暫時繞過缺乏特定特徵碼的安全解決方案,在偵測規則跟上之前,可能提高攻擊活動的成功率。
證據顯示,REF8372 背後的威脅行為者很可能使用俄語,且具備經濟動機。惡意廣告一直是網絡犯罪操作者偏好的策略,因其能在繞過傳統網絡防禦的同時,瞄準具有高意圖的用戶。
OXLOADER 的發現凸顯了網絡殺傷鏈中初始存取階段的持續演變。分析師指出,防禦者必須日益調整端點偵測與回應能力,以識別與加載器相關的多階段行為模式,而非僅依賴文件特徵碼偵測。