Security experts have uncovered a new malvertising campaign delivering PS1Bot, a modular malware framework capable of keylogging, data theft, reconnaissance, and maintaining persistent access. Designed for stealth, PS1Bot uses in-memory execution to avoid leaving detectable traces on infected systems.
Active since early 2025, it spreads primarily through malicious ads and SEO poisoning, sharing technical traits with AHK Bot, which has been linked to groups like Asylum Ambuscade and TA866. Some activity overlaps with ransomware campaigns that previously deployed the Skitnet (Bossnet) malware for data theft and remote control.
Attacks begin with a ZIP file containing JavaScript that downloads further scripts, ultimately executing a PowerShell payload to contact a command-and-control server. This enables operators to deliver specialized modules for antivirus detection, screen capture, cryptocurrency wallet theft, keystroke logging, and system profiling. Persistence is achieved through scripts that relaunch on reboot and maintain communication with the C2 server. The malware’s modular design allows threat actors to rapidly adapt and expand its capabilities.
Read more...