- Researchers identified a new malvertising campaign spreading the modular PS1Bot Malware.
- PS1Bot can steal data, log keystrokes, perform reconnaissance, and maintain access to infected systems.
- The malware uses in-memory execution to avoid leaving evidence and is linked to PowerShell and C# code.
- Attackers deliver the malware through fake ads and compromised search results, targeting users interested in cryptocurrency.
- Google has introduced AI tools using large language models to better detect invalid ad traffic and reduce threats.
Cybersecurity researchers have detected a new digital attack distributing a malware framework called PS1Bot using online advertisements. The campaign has been ongoing since early 2025, targeting users through deceptive ads and search links to install PS1Bot, which allows attackers to steal information and gain long-term system access.
PS1Bot carries out several malicious actions, including keylogging, taking screenshots, collecting sensitive data, and maintaining access on infected devices. Cisco Talos researchers say the malware works in stages and uses both PowerShell and C# to execute its modules without saving files to disk, reducing its forensic footprint.
“PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance, and the establishment of persistent system access,” stated researchers Edmund Brumaghin and Jordyn Dunk. They noted that the attack begins when a user downloads a compressed ZIP archive from a malicious ad or search link containing JavaScript, which then downloads more code and executes a PowerShell script to contact remote servers.
The malware can detect antivirus tools, steal wallet and password data, take screenshots, log keystrokes, and create scripts that automatically run whenever the system restarts. “The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems,” Cisco Talos noted. The group behind PS1Bot has used similar tactics and code to previous attacks involving Ransomware and the Skitnet (also known as Bossnet) malware.
The flexible construction of PS1Bot allows attackers to quickly update modules or add new features for future campaigns. This threat highlights ongoing risks in the cryptocurrency space, as criminals remain focused on targeting wallet credentials and sensitive personal information through highly adaptive malware.
Meanwhile, Google says it is using Artificial Intelligence and large language models to improve detection of fraudulent ad activity. In a recent blog post, Google reported that its new AI-driven methods have improved content review and led to a 40% reduction in invalid traffic caused by deceptive or disruptive ads. More details are available in their announcement on fighting invalid ad traffic.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Shiba Inu Targets 1,000% Rally as Shibarium Hits $1.5B Milestone
- Theta EdgeCloud, Marseille Launch Ligue 1’s First AI Fan Assistant
- Pudgy Penguins CEO’s Instagram Hacked to Promote $IGLOO Token
- Bitcoin Nears Record Highs, $500M Liquidated as Volatility Surges
- DeFi Liquidations Spur More Borrowing, Study Finds—Not Less
