{"id":2290,"date":"2025-08-15T00:53:39","date_gmt":"2025-08-15T00:53:39","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/08\/15\/malvertising-campaign-deploys-modular-powershell-malware-ps1bot\/"},"modified":"2025-08-15T00:53:39","modified_gmt":"2025-08-15T00:53:39","slug":"malvertising-campaign-deploys-modular-powershell-malware-ps1bot","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/08\/15\/malvertising-campaign-deploys-modular-powershell-malware-ps1bot\/","title":{"rendered":"Malvertising Campaign Deploys Modular PowerShell Malware PS1Bot"},"content":{"rendered":"<div id=\"cphContent_pnlArticleBody\" data-layout-id=\"2\" data-edit-folder-name=\"text\" data-index=\"0\">\n<p>An ongoing malware campaign active throughout 2025 is using malvertising to deliver a sophisticated PowerShell-based framework.<\/p>\n<p>According to Cisco Talos researchers, the malware is named \u201cPS1Bot\u201d due to its similarities with the AHK Bot malware family. It deploys multiple malicious modules capable of stealing sensitive information, logging keystrokes, capturing screens and maintaining persistence.<\/p>\n<p>The infection chain begins when victims download a compressed archive from a malicious advertisement or search engine optimization (SEO) poisoning link.<\/p>\n<p>The archive contains a JavaScript file,\u00a0\u201cFULL DOCUMENT.js,\u201d embedded with VBScript. Once executed, it retrieves a PowerShell script that polls a command-and-control (C2) server for further modules. These are executed in memory, reducing forensic traces.<\/p>\n<p><em>Read more on malware leveraging malvertising for distribution: NCSC Publishes Tips to Tackle Malvertising Threat<\/em><\/p>\n<p>Talos has identified distinct modules performing:<\/p>\n<ul>\n<li>\n<p>Antivirus detection<\/p>\n<\/li>\n<li>\n<p>Screen capture<\/p>\n<\/li>\n<li>\n<p>Cryptocurrency wallet and browser data theft<\/p>\n<\/li>\n<li>\n<p>Keylogging and clipboard monitoring<\/p>\n<\/li>\n<li>\n<p>System information gathering<\/p>\n<\/li>\n<li>\n<p>Persistence<\/p>\n<\/li>\n<\/ul>\n<p>Each module reports status updates to the attacker via HTTP requests.<\/p>\n<p>Notably, the \u201cgrabber\u201d\u00a0module targets dozens of web browsers and cryptocurrency wallet extensions, searching local drives for files containing wallet seed phrases or passwords before compressing and exfiltrating them.<\/p>\n<p>The screen capture tool compiles and runs C# code at runtime to generate JPEG screenshots, which are later encoded and sent to the C2 server.\u00a0The keylogger uses Windows API hooks to capture keystrokes and mouse events, alongside clipboard contents. Persistence is achieved by creating PowerShell scripts and shortcuts that reinitiate the C2 loop on system startup.<\/p>\n<p>While Talos has not observed the Skitnet binary directly, overlaps in infrastructure, module design and URL construction suggest links to campaigns distributing Skitnet\/Bossnet.<\/p>\n<p>The researchers also note architectural similarities to AHK Bot, including using drive serial numbers to build C2 paths and a modular design enabling rapid updates.<\/p>\n<p>Talos has assessed\u00a0that additional, undiscovered PS1Bot modules likely exist. The malware\u2019s flexible framework and active development indicate it will continue evolving as attackers adapt its capabilities.<\/p>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>An ongoing malware campaign active throughout 2025 is using malvertising to deliver a sophisticated PowerShell-based framework. According to Cisco Talos researchers, the malware is named \u201cPS1Bot\u201d due to its similarities with the AHK Bot malware family. It deploys multiple malicious modules capable of stealing sensitive information, logging keystrokes, capturing screens and maintaining persistence. The infection<\/p>\n","protected":false},"author":2,"featured_media":2291,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2290","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b.jpg",300,300,false],"thumbnail":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b-150x150.jpg",150,150,true],"medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b.jpg",300,300,false],"medium_large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b.jpg",300,300,false],"large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b.jpg",300,300,false],"1536x1536":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b.jpg",300,300,false],"2048x2048":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b.jpg",300,300,false],"morenews-featured":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b.jpg",300,300,false],"morenews-large":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b.jpg",300,300,false],"morenews-medium":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b.jpg",300,300,false],"crawlomatic_preview_image":["https:\/\/ft365.org\/wp-content\/uploads\/2025\/08\/2290-638494c1-2aa1-4487-8e81-e18f2ca0835b-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"https:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"<a href=\"https:\/\/ft365.org\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2290","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=2290"}],"version-history":[{"count":0,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/2290\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/2291"}],"wp:attachment":[{"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=2290"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=2290"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=2290"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}