REF8372 malicious Google Ads CastleStealer delivery campaign
Campaign
Summary
Hide ▲
Show ▼
The REF8372 campaign now uses malicious Google Ads and a fake Node.js download site to deliver OXLOADER and CastleStealer, putting search users at risk of malware execution and information theft. The operation also abuses Storj, PowerShell, DLL side-loading, and UAC prompts to move from lure to payload. Researchers assess the activity as Russian-speaking and financially motivated, with CIS exclusions suggesting deliberate victim filtering.
Related Happenings
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
How related:
"Running the batch script displays a bogus installation wizard user interface (UI), while stealthily downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER through a PowerShell command and executing it with -Verb RunAs to trigger a Windows User Account Control (UAC) prompt."
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityHow related: "Running the batch script displays a bogus installation wizard user interface (UI), while stealthily downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER through a PowerShell command and executing it with -Verb RunAs to trigger a Windows User Account Control (UAC) prompt."
About this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
LummaStealer infection surge via CastleLoader
Malware Activity
H score30
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware Activity
H score23
First: 06.01.2026 14:13
Last: 06.01.2026 14:13
Sources 1
About this happening:
**SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...
DCRat delivered through PowerShell and MSBuild in PHALT#BLYX
Malware ActivityAbout this happening: **SHADOW#REACTOR** is a **multi-stage Windows malware campaign** that uses **obfuscated VBS**, **PowerShell**, **wscript.exe**, **MSBuild.exe**, and in-memory loaders to stealthil...
Timeline
-
22.06.2026 16:20 1 articles · 2h ago
Google removes advertiser account and ad campaigns used for bogus ads
Legal Policy Action UpdateGoogle removed the advertiser account and its associated ad campaigns on May 14, 2026 after bogus Google Ads were used to redirect search users toward the fake node-js[.]prentiva99[.]info site.
Show sources
- New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer — thehackernews.com — 22.06.2026 16:20
-
22.06.2026 16:20 2 articles · 2h ago
Researchers disclose REF8372 campaign delivering OXLOADER and CastleStealer
Initial DisclosureResearchers disclosed REF8372, a campaign that uses malicious Google Ads, a fake node-js[.]prentiva99[.]info site, a Storj-hosted batch script, PowerShell, DLL side-loading, and UAC abuse to deliver OXLOADER and execute CastleStealer; the loader uses control-flow flattening, opaque predicates, mixed Boolean-Arithmetic, self-modifying decryption stubs, and the Windows .reloc section to stage shellcode.
Show sources
- New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer — thehackernews.com — 22.06.2026 16:20
- New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer — thehackernews.com — 22.06.2026 16:20