Hackers Abuse Fake Node.js Installer in Google Ads Malware Campaign

Cybercriminals are once again abusing Google Ads to push malware, this time by impersonating the Node.js installerand luring users into downloading a malicious package that ultimately deploys an infostealer.

According to new research from Elastic Security Labs, the campaign delivers a newly identified Windows loader dubbed OXLOADER, which is used to install CASTLESTEALER, an information-stealing malware family designed to harvest sensitive data from infected systems. The attack highlights a growing trend in which threat actors use malvertising and fake software download pages to target developers and IT users who trust sponsored search results.

How the attack works

The infection chain begins when a victim searches online for a legitimate Node.js download, such as the LTS version of Node.js, and clicks on a sponsored result served through Google Ads. Instead of landing on the real Node.js website, the victim is redirected to a fake Node.js-themed page controlled by the attackers.

From there, the user is funneled through an intermediary domain and served a malicious batch file hosted on Storj, a decentralized cloud storage platform. That script then downloads and executes OXLOADER, which acts as the first-stage malware loader.

Once active, OXLOADER delivers CASTLESTEALER, the final payload in the chain. CASTLESTEALER is designed to steal valuable information from infected devices, potentially including browser credentials, stored cookies, authentication tokens, and other sensitive data that can be monetized or reused in follow-on attacks. Elastic says the campaign appeared to target U.S.-based victims, and the malicious ad linked to a spoofed domain posing as a legitimate Node.js download site.

A loader built to avoid detection

One of the more concerning aspects of the campaign is how much effort went into evasion. Elastic reports that OXLOADER includes multiple anti-analysis and anti-sandbox techniques designed to keep the malware hidden from researchers and automated security tools.

Among its checks, the loader reportedly looks for signs of virtualized environments, inspects system resources such as CPU and RAM, and avoids execution in certain environments tied to CIS countries or systems using Russian language settings. These behaviors suggest the operators are not only technically capable, but are actively trying to reduce the chances of their malware being captured and studied.

Why this campaign matters

This campaign is another reminder that top search results are not always safe, especially when they are sponsored advertisements. Threat actors know that developers frequently search for trusted tools such as Node.js, browser software, remote access tools, and coding utilities. By cloning legitimate download pages and buying ad placement, attackers can place malicious installers directly in front of their targets.

The tactic fits into a broader pattern. Over the past year, researchers have documented multiple campaigns using fake installers, malicious ads, and cloned software pages to distribute stealers, loaders, and other payloads. Node.js itself has increasingly appeared in malware delivery chains because it is widely trusted, flexible, and can help malicious code blend in with legitimate software activity.

What users and organizations should do

To reduce the risk from campaigns like this, users and defenders should take a few simple but important precautions:

• Avoid downloading software from sponsored search results whenever possible

• Always verify that you are on the official vendor domain before downloading installers

• Use browser protections, endpoint security tools, and DNS filtering to block known malicious infrastructure

• Train employees and developers to recognize malvertising and fake software portals

• Monitor for signs of infostealer activity, including suspicious downloads, unexpected archive files, and unusual outbound connections

For developers and IT teams, the safest approach is to bookmark official download pages for tools you use often rather than relying on search engines each time.

Final thoughts

The fake Node.js installer campaign shows how effective malvertising remains as an initial access tactic. Instead of exploiting a software vulnerability, the attackers simply exploited trust — trust in search results, trust in a familiar brand, and trust in a tool widely used by developers around the world.

As infostealer campaigns continue to evolve, defenders will need to treat search ads and fake software download pagesas a serious part of the threat landscape, not just an annoyance. In many cases, one click on the wrong “download” button is all it takes to hand over credentials, session tokens, and access to an attacker.