On Going Malvertising Attack Spreads New Crypto Stealing PS1Bot Malware

Source: https://hackread.com/malvertising-attack-crypto-stealing-ps1bot-malware/

The reported security threat involves an ongoing malvertising campaign distributing a new cryptocurrency-stealing malware named PS1Bot. Malvertising, or malicious advertising, is a technique where attackers inject malicious code into legitimate online advertising networks or websites, which then deliver malware to users visiting those sites. PS1Bot is designed specifically to target cryptocurrency assets by stealing wallet credentials, private keys, or other sensitive information related to cryptocurrency holdings. The malware likely uses PowerShell scripts (indicated by the 'PS1' prefix) to execute its payload, which is a common tactic for evading traditional antivirus detection and leveraging native Windows scripting capabilities. While detailed technical indicators and affected software versions are not provided, the attack vector through malvertising suggests a broad and opportunistic distribution method, potentially affecting any users who visit compromised or maliciously injected websites. The campaign is currently active, but there are no known exploits in the wild beyond the malvertising distribution method itself. The discussion and visibility of this threat remain limited, with minimal community engagement on Reddit, but the source is recent and considered newsworthy due to the malware's focus on cryptocurrency theft, a high-value target for cybercriminals.

Reddit InfoSec News

Detailed information about On Going Malvertising Attack Spreads New Crypto Stealing PS1Bot Malware. Get real-time updates, technical details, and mitigation str

On Going Malvertising Attack Spreads New Crypto Stealing PS1Bot Malware - Live Threat Intelligence - Threat Radar | OffSeq.com

On Going Malvertising Attack Spreads New Crypto Stealing PS1Bot Malware

Reddit Discussion: On Going Malvertising Attack Spreads New Crypto Stealing PS1Bot Malware

A vulnerability was determined in itsourcecode Online Tour and Travel Management System 1.0. This vulnerability affects unknown code of the file /admin/operations/currency.php. The manipulation of the argument curr_code leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-8982 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The flaw exists in the /admin/operations/currency.php file, specifically through the manipulation of the 'curr_code' parameter. This parameter is vulnerable to injection of malicious SQL code, allowing an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database. The vulnerability does not require any user interaction or privileges, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is low to limited, suggesting that while the attacker can manipulate some data or extract information, the scope and severity of damage are somewhat constrained. No patches or fixes have been published yet, and no known exploits are reported in the wild, but the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche online tour and travel management system used primarily by travel agencies or related businesses to manage bookings, currency operations, and other administrative tasks.

CVE Database V5

Detailed information about CVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System affecting itsourcecode Online Tour and Travel M

CVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System

A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. This affects an unknown part of the file /admin/operations/payment.php. The manipulation of the argument payment_type leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVE-2025-8981 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The flaw exists in the /admin/operations/payment.php file, specifically through the manipulation of the 'payment_type' parameter. This parameter is not properly sanitized or validated, allowing an attacker to inject malicious SQL code remotely without any authentication or user interaction. Exploiting this vulnerability could enable an attacker to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently reported in the wild. The CVSS v4.0 base score is 6.9, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user interaction required. The vulnerability impacts confidentiality, integrity, and availability to a limited extent due to the partial impact metrics (low to medium). Since the affected software is a niche online tour and travel management system, the scope of affected systems is limited to organizations using this specific product version.

Detailed information about CVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System affecting itsourcecode Online Tour and Travel M

CVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System

The Lotus Cars Android app (com.lotus.carsdomestic.intl) 1.2.8 has allowBackup=true set in its manifest, allowing data exfiltration via ADB backup on rooted or debug-enabled devices. This presents a risk of user data exposure.

CVE-2025-50862 is a vulnerability identified in the Lotus Cars Android application (package name com.lotus.carsdomestic.intl), specifically version 1.2.8. The core issue stems from the app's Android manifest configuration where the attribute allowBackup is set to true. This setting permits the app's data to be backed up and restored using Android Debug Bridge (ADB) backup functionality. While this feature can be useful for legitimate backup purposes, it introduces a significant security risk when devices are either rooted or have debugging enabled. In such scenarios, an attacker with physical or remote access to the device and ADB capabilities can extract sensitive user data from the app by initiating a backup operation. This data exfiltration vector bypasses normal app sandboxing protections, potentially exposing confidential user information stored within the app's private data directories. The vulnerability does not require the app itself to be exploited remotely but depends on device-level conditions such as rooting or debug mode activation. There are no known public exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The absence of a patch or mitigation guidance from the vendor further emphasizes the need for awareness and proactive defensive measures. This vulnerability highlights the risks of insecure app manifest configurations that inadvertently expose sensitive data through legitimate Android system features.

Detailed information about CVE-2025-50862: n/a. Get real-time updates, technical details, and mitigation strategies.

CVE-2025-50862: n/a - Live Threat Intelligence - Threat Radar | OffSeq.com

CVE-2025-50862: n/a

A vulnerability was identified in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /admin/operations/expense.php. The manipulation of the argument expense_for leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.

Detailed information about CVE-2025-8983: SQL Injection in itsourcecode Online Tour and Travel Management System affecting itsourcecode Online Tour and Travel M

CVE-2025-8983: SQL Injection in itsourcecode Online Tour and Travel Management System

CVE-2025-8983: SQL Injection in itsourcecode Online Tour and Travel Management System

Description

Technical Details

Related Threats

CVE-2025-8982: SQL Injection in itsourcecode Online Tour and Travel Management System

CVE-2025-8981: SQL Injection in itsourcecode Online Tour and Travel Management System

CVE-2025-50862: n/a

CVE-2025-50861: n/a

CVE-2025-8978: Insufficient Verification of Data Authenticity in D-Link DIR-619L

Actions

External Links

Need enhanced features?

Latest Threats

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility