Malicious Advertising Campaign Distributes PowerShell-Based Malware Known as PS1Bot
In the ever-evolving world of cybersecurity, a new malware named PS1Bot has emerged, causing concern amongst researchers and security professionals. First observed in 2025, this malware has similarities with the AHK Bot malware family and is known for its multi-stage, stealthy framework.
The infection chain for PS1Bot begins with victims unwittingly downloading a compressed archive from a malicious advertisement or SEO poisoning link. Once downloaded, the archive contains a JavaScript file, "FULL DOCUMENT.js," embedded with VBScript. Upon execution, "FULL DOCUMENT.js" retrieves a PowerShell script that polls a command-and-control (C2) server for further modules.
Each module in PS1Bot reports status updates to the attacker via HTTP requests. Researchers believe that additional, undiscovered PS1Bot modules likely exist. One of the modules in PS1Bot is a keylogger, which uses Windows API hooks to capture keystrokes and mouse events, alongside clipboard contents. Another module, dubbed the "grabber," targets dozens of web browsers and cryptocurrency wallet extensions, searching local drives for files containing wallet seed phrases or passwords before compressing and exfiltrating them.
The screen capture tool in PS1Bot compiles and runs C# code at runtime to generate JPEG screenshots, which are later encoded and sent to the C2 server. Persistence in PS1Bot is achieved by creating PowerShell scripts and shortcuts that reinitiate the C2 loop on system startup.
Talos, a cyber intelligence and research group, has identified distinct modules in PS1Bot performing antivirus detection, system information gathering, and maintaining persistence, in addition to the screen capture, cryptocurrency wallet and browser data theft, keylogging, and clipboard monitoring modules.
The malware's flexible framework and active development indicate that PS1Bot will continue evolving as attackers adapt its capabilities. Despite this, the specific organization or person responsible for the development and spreading of PS1Bot remains undisclosed.
In response to this threat, the National Cyber Security Centre (NCSC) has published tips to tackle the malvertising threat. However, no specific information about these tips was provided in the available sources.
It is crucial for users to remain vigilant and follow best practices for online safety, such as avoiding clicking on suspicious links, keeping software up-to-date, and using reliable security solutions. As the battle against cyber threats continues, it is essential to stay informed and take proactive measures to protect against such malicious activities.
