New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks

Aug 13, 2025Ravie LakshmananMalvertising / Cryptocurrency

Cybersecurity researchers have discovered a new malvertising campaign that’s designed to infect victims with a multi-stage malware framework called PS1Bot.

“PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system access,” Cisco Talos researchers Edmund Brumaghin and Jordyn Dunk said.

“PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk.”

Campaigns distributing the PowerShell and C# malware have been found to be active since early 2025, leveraging malvertising as a propagation vector, with the infection chains executing modules in-memory to minimize forensic trail. PS1Bot is assessed to share technical overlaps with AHK Bot, an AutoHotkey-based malware previously put to use by threat actors Asylum Ambuscade and TA866.

Furthermore, the activity cluster has been identified as overlapping with previous ransomware-related campaigns utilizing a malware named Skitnet (aka Bossnet) with an aim to steal data and establish remote control over compromised hosts.

The starting point of the attack is a compressed archive that’s delivered to victims via malvertising or search engine optimization (SEO) poisoning. Present within the ZIP file is a JavaScript payload that serves as a downloader to retrieve a scriptlet from an external server, which then writes a PowerShell script to a file on disk and executes it.

The PowerShell script is responsible for contacting a command-and-control (C2) server and fetching next-stage PowerShell commands that allow the operators to augment the malware’s functionality in a modular fashion and carry out a wide range of actions on the compromised host –

• Antivirus detection, which obtains and reports the list of antivirus programs present on the infected system
• Screen capture, which captures screenshots on infected systems and transmits the resulting images to the C2 server
• Wallet grabber, which steals data from web browsers (and wallet extensions), application data for cryptocurrency wallet applications, and files containing passwords, sensitive strings, or wallet seed phrases
• Keylogger, which logs keystrokes and gathers clipboard content
• Information collection, which harvests and transmits information about the infected system and environment to the attacker
• Persistence, which creates a PowerShell script such that it’s automatically launched when the system restarts, incorporating the same logic used to establish the C2 polling process to fetch the modules

“The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems,” Talos noted.

“The modular nature of the implementation of this malware provides flexibility and enables the rapid deployment of updates or new functionality as needed.”

The disclosure comes as Google said it’s leveraging artificial intelligence (AI) systems powered by large language models (LLMs) to fight invalid traffic (IVT) and more precisely identify ad placements generating invalid behaviors.

“Our new applications provide faster and stronger protections by analyzing app and web content, ad placements and user interactions,” Google said. “For example, they’ve significantly improved our content review capabilities, leading to a 40% reduction in IVT stemming from deceptive or disruptive ad serving practices.”

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!