Elastic Security Labs has identified an active malvertising campaign delivering OXLOADER, a new staged loader, through poisoned Google Ads to install CastleStealer, an infostealer targeting credentials and financial data. The campaign has no CVE assignment and no vendor patch — it is a delivery-chain and user-behavior problem that bypasses perimeter defenses by routing through the Google Ads platform. Primary risk is credential theft and session hijacking from any employee exposed to malicious advertisements on corporate or personal devices.