Ethical Hacking News
Recent cybersecurity research has uncovered a new malvertising campaign designed to infect victims with a multi-stage malware framework called PS1Bot. The campaign leverages vulnerabilities in the propagation vector of malvertising, utilizing PowerShell and C# malware to deliver a compressed archive that contains a JavaScript payload. This payload serves as a downloader, which retrieves a scriptlet from an external server, writes a PowerShell script to disk, and executes it. Read more about this new PS1Bot malware campaign in our latest article.
A new malvertising campaign has been discovered using PS1Bot malware framework. The campaign leverages vulnerabilities in the propagation vector of malvertising, utilizing PowerShell and C# malware to deliver a compressed archive with a JavaScript payload. PS1Bot malware features stealthy design, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques. The malware includes malicious activities such as information theft, keylogging, reconnaissance, and establishing persistent system access. Google has announced the use of artificial intelligence (AI) systems to fight invalid traffic (IVT) and identify ad placements generating invalid behaviors.
A new malvertising campaign has been discovered, designed to infect victims with a multi-stage malware framework called PS1Bot. The campaign leverages vulnerabilities in the propagation vector of malvertising, utilizing PowerShell and C# malware to deliver a compressed archive that contains a JavaScript payload. This payload serves as a downloader, which retrieves a scriptlet from an external server, writes a PowerShell script to disk, and executes it.
The PowerShell script then contacts a command-and-control (C2) server to fetch next-stage PowerShell commands, allowing the attackers to augment the malware's functionality in a modular fashion. The PS1Bot malware features a stealthy design, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate the execution of follow-on modules without requiring them to be written to disk.
The campaign has been identified as overlapping with previous ransomware-related campaigns utilizing a malware named Skitnet (aka Bossnet), with the aim of stealing data and establishing remote control over compromised hosts. The PS1Bot malware includes various malicious activities, such as information theft, keylogging, reconnaissance, and the establishment of persistent system access.
The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets. The stealer also attempts to exfiltrate these data from infected systems. The modular nature of the PS1Bot malware provides flexibility, enabling the rapid deployment of updates or new functionality as needed.
The disclosure comes as Google announced its use of artificial intelligence (AI) systems powered by large language models (LLMs) to fight invalid traffic (IVT) and more precisely identify ad placements generating invalid behaviors. The AI-powered applications analyze app and web content, ad placements, and user interactions to provide faster and stronger protections.
In a recent development, cybersecurity researchers have discovered the PS1Bot malware campaign, designed to infect victims with a multi-stage malware framework called PS1Bot. The campaign leverages vulnerabilities in the propagation vector of malvertising, utilizing PowerShell and C# malware to deliver a compressed archive that contains a JavaScript payload. This payload serves as a downloader, which retrieves a scriptlet from an external server, writes a PowerShell script to disk, and executes it.
The PowerShell script then contacts a command-and-control (C2) server to fetch next-stage PowerShell commands, allowing the attackers to augment the malware's functionality in a modular fashion. The PS1Bot malware features a stealthy design, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate the execution of follow-on modules without requiring them to be written to disk.
The campaign has been identified as overlapping with previous ransomware-related campaigns utilizing a malware named Skitnet (aka Bossnet), with the aim of stealing data and establishing remote control over compromised hosts. The PS1Bot malware includes various malicious activities, such as information theft, keylogging, reconnaissance, and the establishment of persistent system access.
The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets. The stealer also attempts to exfiltrate these data from infected systems. The modular nature of the PS1Bot malware provides flexibility, enabling the rapid deployment of updates or new functionality as needed.
The disclosure comes as Google announced its use of artificial intelligence (AI) systems powered by large language models (LLMs) to fight invalid traffic (IVT) and more precisely identify ad placements generating invalid behaviors. The AI-powered applications analyze app and web content, ad placements, and user interactions to provide faster and stronger protections.
In a recent development, cybersecurity researchers have discovered the PS1Bot malware campaign, designed to infect victims with a multi-stage malware framework called PS1Bot. The campaign leverages vulnerabilities in the propagation vector of malvertising, utilizing PowerShell and C# malware to deliver a compressed archive that contains a JavaScript payload. This payload serves as a downloader, which retrieves a scriptlet from an external server, writes a PowerShell script to disk, and executes it.
The PowerShell script then contacts a command-and-control (C2) server to fetch next-stage PowerShell commands, allowing the attackers to augment the malware's functionality in a modular fashion. The PS1Bot malware features a stealthy design, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate the execution of follow-on modules without requiring them to be written to disk.
The campaign has been identified as overlapping with previous ransomware-related campaigns utilizing a malware named Skitnet (aka Bossnet), with the aim of stealing data and establishing remote control over compromised hosts. The PS1Bot malware includes various malicious activities, such as information theft, keylogging, reconnaissance, and the establishment of persistent system access.
The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets. The stealer also attempts to exfiltrate these data from infected systems. The modular nature of the PS1Bot malware provides flexibility, enabling the rapid deployment of updates or new functionality as needed.
The disclosure comes as Google announced its use of artificial intelligence (AI) systems powered by large language models (LLMs) to fight invalid traffic (IVT) and more precisely identify ad placements generating invalid behaviors. The AI-powered applications analyze app and web content, ad placements, and user interactions to provide faster and stronger protections.
Related Information:
https://www.ethicalhackingnews.com/articles/New-PS1Bot-Malware-Campaign-Exploits-Vulnerabilities-to-Launch-Multi-Stage-In-Memory-Attacks-via-Malvertising-ehn.shtml
https://thehackernews.com/2025/08/new-ps1bot-malware-campaign-uses.html
Published: Wed Aug 13 13:55:41 2025 by llama3.2 3B Q4_K_M
