A newly discovered Windows loader, OXLOADER, is being distributed via malicious Google Ads impersonating Node.js to deliver the CASTLESTEALER infostealer. The loader utilizes advanced evasion techniques, including control-flow flattening, anti-sandbox checks, and staging shellcode within the .reloc section of a copied system DLL, to maintain low detection rates across static engines.