Cybersecurity researchers have discovered a new malvertising campaign that’s designed to infect victims with a multi-stage malware framework called PS1Bot.
“PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system access,” Cisco Talos researchers Edmund Brumaghin and Jordyn Dunk said.
“PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk.”
Campaigns distributing the PowerShell and C# malware have been found to be active since early 2025, leveraging malvertising as a propagation vector, with the infection chains executing modules in-memory to minimize forensic trail. PS1Bot is assessed to share technical overlaps with AHK Bot, an AutoHotkey-based malware previously put to use by threat actors Asylum Ambuscade and TA866.
Furthermore, the activity cluster has been identified as overlapping with previous ransomware-related campaigns utilizing a malware named Skitnet (aka Bossnet) with an aim to steal data and establish remote control over compromised hosts.
The starting point of the attack is a compressed archive that’s delivered to victims via malvertising or search engine optimization (SEO) poisoning. Present within the ZIP file is a JavaScript payload that serves as a downloader to retrieve a scriptlet from an external server, which then writes a PowerShell script to a file on disk and executes it.
The PowerShell script is responsible for contacting a command-and-control (C2) server and fetching next-stage PowerShell commands that allow the operators to augment the malware’s functionality in a modular fashion and carry out a wide range of actions on the compromised host –
- Antivirus detection, which obtains and reports the list of antivirus programs present on the infected system
- Screen capture, which captures screenshots on infected systems and transmits the resulting images to the C2 server
- Wallet grabber, which steals data from web browsers (and wallet extensions), application data for cryptocurrency wallet applications, and files containing passwords, sensitive strings, or wallet seed phrases
- Keylogger, which logs keystrokes and gathers clipboard content
- Information collection, which harvests and transmits information about the infected system and environment to the attacker
- Persistence, which creates a PowerShell script such that it’s automatically launched when the system restarts, incorporating the same logic used to establish the C2 polling process to fetch the modules
“The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems,” Talos noted.
“The modular nature of the implementation of this malware provides flexibility and enables the rapid deployment of updates or new functionality as needed.”
The disclosure comes as Google said it’s leveraging artificial intelligence (AI) systems powered by large language models (LLMs) to fight invalid traffic (IVT) and more precisely identify ad placements generating invalid behaviors.
“Our new applications provide faster and stronger protections by analyzing app and web content, ad placements and user interactions,” Google said. “For example, they’ve significantly improved our content review capabilities, leading to a 40% reduction in IVT stemming from deceptive or disruptive ad serving practices.”
