A new PS1Bot malware campaign has been discovered. It uses malvertising to infect victims with a multi-stage malware framework. This malware steals information, logs keystrokes, and maintains persistent access on infected systems.
PS1Bot Malware: A Modular In-Memory Framework
PS1Bot operates as a modular malware framework. Several modules perform malicious activities on infected systems, including:
- Information theft
- Keylogging
- Reconnaissance
- Establishing persistent system access
The malware is designed for stealth. It minimizes persistent artifacts on infected systems and uses in-memory execution techniques, meaning follow-up modules run without writing to disk. This helps avoid detection and makes tracing the malware’s activities more difficult.
How the PS1Bot Malware Campaign Works
The campaign has been active since early 2025, primarily using malvertising and SEO poisoning as propagation methods. Initially, victims receive a compressed archive containing a JavaScript payload. This payload downloads a script from an external server, writes a PowerShell script to disk, and executes it.
Once executed, the PowerShell script contacts a command-and-control (C2) server. From there, it fetches the next-stage commands. These commands enable the malware to carry out various activities on the compromised system, such as:
- Antivirus detection, identifying antivirus programs present on the infected system
- Screen capture, taking screenshots and sending them to the C2 server
- Wallet grabber, stealing data from cryptocurrency wallets, browsers, and applications
- Keylogger, recording keystrokes and clipboard content
- Information collection, gathering system and environmental data
- Persistence, creating a PowerShell script that runs when the system restarts
The wallet grabber specifically targets cryptocurrency wallets, extracting sensitive data like wallet seed phrases and passwords. Additionally, the keylogger records information from the victim’s activities.
Flexibility and Risk of PS1Bot Malware
One of the most concerning aspects of PS1Bot malware is its flexibility. The modular design allows operators to quickly deploy updates or new functionality. This adaptability makes the malware a constantly evolving threat.
Additionally, Google has taken action against invalid traffic (IVT) and deceptive ad practices by leveraging artificial intelligence (AI) systems. These systems, powered by large language models (LLMs), improve ad placement analysis, leading to a 40% reduction in IVT caused by deceptive ad serving practices.
Conclusion
The PS1Bot malware campaign highlights the growing sophistication of cybersecurity threats. By using malvertising and in-memory execution, this malware framework can infiltrate systems, steal sensitive data, and maintain long-term access without detection. Users must stay vigilant and take steps to protect their systems against evolving threats.
For more information on cybersecurity threats and how to stay safe, follow our updates on Google News, Twitter, and LinkedIn.
