Cybersecurity researchers have discovered a new Malvertising campaign designed to infect victims with a multi-stage malware framework called PS1BOT.
“The PS1bot has a modular design, and several modules are delivered and used to perform a variety of malicious activities on infected systems, including information theft, key logs, reconnaissance, and establishment of permanent system access.”
“The PS1bot is designed with stealth in mind, minimizing persistent artifacts remaining on infected systems, and incorporates in-memory execution technology to facilitate the execution of subsequent modules without requiring them to be written to disk.”
The campaign to distribute PowerShell and C# malware has been known to be active since early 2025, leveraging fraud as a propagation vector, and the infection chain runs modules in memory to minimize forensic trails. PS1BOT is evaluated to share technical overlap with AHK bots, an automatic hotkey-based malware previously used by threat actor Asylum Ambuscade and TA866.
Additionally, activity clusters have been identified as overlapping with previous ransom-related campaigns using malware named SkitNet (aka BossNet) with the aim of stealing data and establishing remote control for compromised hosts.
The starting point for the attack is a compressed archive delivered to victims via fraud or search engine optimization (SEO) addiction. What resides in the zip file is a JavaScript payload that acts as a downloader for obtaining scriptlets from an external server that writes and runs a PowerShell script to a file on disk.
The PowerShell script is responsible for contacting the Command and Control (C2) server and getting the next stage PowerShell command that allows the operator to augment the malware’s functionality with modular fashion and allow the operator to perform a wide range of actions on the compromised host –
Antivirus detection, which retrieves and reports a list of antivirus programs present in the screen capture of an infected system, captures a screenshot of an infected system and sends the resulting image to a C2 server wallet grabber. Keystrokes and Collect Clipboard Content Information Collection harvests and sends information about infected systems and environments to the attacker’s persistence. This creates a PowerShell script, which automatically starts up on restart, and incorporates the same logic used to fetch modules with the same logic used to establish the C2 polling process.
“The implementation of the Information Steeler Module utilizes the word list embedded in the Steeler to enumerate the passwords and seed phrases that can be used to access the cryptocurrency wallet.
“The modularity of this malware implementation provides flexibility and allows for rapid deployment of updates or new features as needed.”
This disclosure comes when Google says it leverages artificial intelligence (AI) systems powered by a large language model (LLM) to combat invalid traffic (IVT) and identifies ad placements that produce invalid behavior more accurately.
“Our new applications provide faster and stronger protection by analyzing apps and web content, ad placement and user interaction,” Google said. “For example, we have significantly improved our content review capabilities, leading to a 40% reduction in IVT due to deceptive or destructive advertising services.”
Source link
