OXLOADER

Hackers are using fake Google Ads to push a brand-new malware loader that disguises itself as the popular Node.js installer.

the campaign leverages malicious Google Ads as a starting point to distribute the malware

The attack begins when unsuspecting users enter queries such as "lts version of node.js" on search engines like Google, redirecting them to a fake website ("node-js[.]prentiva99[.]info") surfaced via bogus ads

downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER through a PowerShell command and executing it with -Verb RunAs

Users who end up interacting with the site are served a batch script hosted on Storj

Behind that interface, it is silently downloading the next-stage executable using PowerShell and triggering a Windows User Account Control prompt to gain elevated system access.

executing it with -Verb RunAs to trigger a Windows User Account Control (UAC) prompt

The loader uses several obfuscation layers (control-flow flattening, opaque predicates, mixed Boolean-Arithmetic), self-modifying decryption stubs, and abuses the Windows .reloc section to stage shellcode

A second variant of OXLOADER was also discovered on May 13, 2026, this time masquerading as a Node.js installer binary rather than API Monitor.

and unpacks itself in memory using self-modifying decryption routines.

while also taking steps to ensure it's not run on sandboxed environments

These include checking for at least three CPU cores, at least 3 GB of physical RAM, a display refresh rate above 20 Hz, and verifying the system is not located in a CIS region or configured for the Russian language.

It hides malicious code inside the Windows .reloc section, a space legitimate programs never use for executable instructions.

while also taking steps to ensure it's not run on sandboxed environments

These include checking for at least three CPU cores, at least 3 GB of physical RAM, a display refresh rate above 20 Hz, and verifying the system is not located in a CIS region or configured for the Russian language.

Users who end up interacting with the site are served a batch script hosted on Storj... Running the batch script displays a bogus installation wizard user interface (UI), while stealthily downloading a next-stage payload, a Storj-hosted executable dubbed OXLOADER through a PowerShell command