New PS1Bot Malware Campaign Leverages Malvertising for Multi-Stage In-Memory Attack Deployment
Cybersecurity researchers have identified a new malvertising campaign aimed at infecting victims with a sophisticated multi-stage malware framework known as PS1Bot. This malware features a modular design, enabling the delivery of various modules that execute a range of malicious activities on compromised systems, including information theft, keylogging, reconnaissance, and establishing persistent access. Cisco Talos researchers, Edmund Brumaghin and Jordyn Dunk, noted that PS1Bot is engineered for stealth, minimising persistent artifacts on infected systems and employing in-memory execution techniques to run follow-on modules without writing them to disk. Active since early 2025, these campaigns utilise malvertising as a propagation vector, with infection chains designed to execute modules in-memory, thereby reducing the forensic footprint.
The attack typically begins with a compressed archive delivered to victims through malvertising or search engine optimisation (SEO) poisoning. Inside the ZIP file lies a JavaScript payload that acts as a downloader, retrieving a scriptlet from an external server. This scriptlet writes a PowerShell script to disk and executes it, which then contacts a command-and-control (C2) server to fetch subsequent PowerShell commands. These commands enhance the malware’s functionality, allowing for actions such as antivirus detection, screen capture, wallet data theft, keylogging, and information collection. Additionally, the persistence module creates a PowerShell script that ensures the malware is automatically launched upon system restart, maintaining the same logic for C2 polling. The information stealer module is particularly notable for using embedded wordlists to identify files containing passwords and seed phrases for cryptocurrency wallets.
Categories: Malvertising Campaigns, Modular Malware Frameworks, Information Theft Techniques
Tags: Malvertising, PS1Bot, Modular Design, Information Theft, Keylogging, Command-and-Control, Persistence, PowerShell, Cryptocurrency, In-memory Execution