Skip to main content

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Medium
Published: Tue Aug 12 2025 (08/12/2025, 21:36:09 UTC)
Source: AlienVault OTX General

Description

A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and uses in-memory execution techniques for stealth. Active since early 2025, PS1Bot's information stealer targets cryptocurrency wallets and employs wordlists to identify files containing passwords and seed phrases. The campaign overlaps with previously reported Skitnet activities and uses similar C2 infrastructure. Delivery involves compressed archives with obfuscated scripts, leading to PowerShell modules for antivirus detection, screen capture, data theft, keylogging, and system information collection. Persistence is established through startup directory manipulation.

AI-Powered Analysis

AILast updated: 08/13/2025, 10:47:54 UTC

Technical Analysis

The PS1Bot malware campaign represents a sophisticated multi-stage threat primarily distributed via malvertising, leveraging deceptive online advertisements to infect victims. PS1Bot is implemented using PowerShell and C#, featuring a modular architecture that allows attackers to deploy various payloads tailored for information theft, keylogging, reconnaissance, and establishing persistent access on compromised systems. The malware employs advanced stealth techniques, including in-memory execution to avoid detection by traditional antivirus solutions and minimize forensic artifacts. The infection chain typically begins with compressed archives containing obfuscated scripts that execute PowerShell modules. These modules perform a range of malicious activities such as antivirus evasion, screen capturing, data exfiltration, keylogging, and system information gathering. Notably, PS1Bot targets cryptocurrency wallets by scanning files with wordlists to locate passwords and seed phrases, indicating a focus on financial theft. Persistence is maintained by manipulating the startup directory, ensuring the malware executes upon system reboot. The campaign has been active since early 2025 and shares infrastructure and tactics with the previously reported Skitnet malware group, suggesting a possible link or evolution. The use of malvertising as a delivery vector increases the attack surface, as it can reach a broad and diverse user base through compromised or malicious advertising networks. The modular design and use of PowerShell and C# enable rapid adaptation and deployment of new capabilities, making PS1Bot a versatile and persistent threat.

Potential Impact

For European organizations, PS1Bot poses significant risks, particularly to entities involved in cryptocurrency transactions, financial services, and sectors with high-value intellectual property or sensitive data. The malware's ability to steal credentials, capture keystrokes, and exfiltrate system information can lead to financial losses, data breaches, and operational disruptions. The stealthy nature of PS1Bot complicates detection and incident response, potentially allowing prolonged unauthorized access and data compromise. Organizations with remote or hybrid work models may be more vulnerable due to increased exposure to malvertising through web browsing on less controlled endpoints. Additionally, the targeting of cryptocurrency wallets aligns with the growing adoption of digital assets in Europe, increasing the potential financial impact. The campaign's use of startup directory persistence and in-memory execution techniques challenges traditional endpoint security measures, necessitating advanced detection capabilities. Furthermore, the overlap with Skitnet infrastructure suggests a persistent threat actor with evolving tactics, increasing the likelihood of continued or expanded attacks targeting European networks.

Mitigation Recommendations

European organizations should implement a multi-layered defense strategy tailored to the specific characteristics of PS1Bot. Key recommendations include: 1) Enhance web filtering and ad-blocking solutions to reduce exposure to malvertising, including the use of DNS filtering and browser security extensions that block malicious ads and scripts. 2) Deploy endpoint detection and response (EDR) tools capable of monitoring PowerShell activity and detecting in-memory execution patterns indicative of PS1Bot modules. 3) Implement strict application control policies to limit execution of unauthorized scripts and binaries, especially those launched from compressed archives or temporary directories. 4) Conduct regular threat hunting focused on indicators of persistence such as suspicious startup directory modifications and anomalous PowerShell commands. 5) Educate users on the risks of malvertising and encourage cautious behavior when interacting with online advertisements and downloading files from untrusted sources. 6) Secure cryptocurrency wallets using hardware wallets or multi-factor authentication to mitigate credential theft risks. 7) Maintain up-to-date threat intelligence feeds and integrate them into security operations to identify and respond to emerging PS1Bot indicators. 8) Employ network segmentation and strict egress filtering to limit data exfiltration pathways. These measures, combined with continuous monitoring and incident response preparedness, will reduce the likelihood and impact of PS1Bot infections.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blog.talosintelligence.com/ps1bot-malvertising-campaign/"]
Adversary
null
Pulse Id
689bb3c9004eca543a36d5fc
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip181.174.164.117
ip181.174.164.12
ip181.174.164.161
ip181.174.164.170
ip181.174.164.180
ip181.174.164.2
ip181.174.164.201
ip181.174.164.238
ip181.174.164.47
ip213.176.113.168
ip109.120.179.170
ip131.174.164.238
ip147.45.45.168
ip5.252.153.94
ip62.60.178.24
ip77.110.116.227

Hash

ValueDescriptionCopy
hash1331e12e59aa729531fbfd44ae73fa3d
hash18f50c834765bd783de82ff0675a780e
hash6dc093e7f5c0986d371b1e22c97d2cab
hash7b20f4d5ab79cd5885535954a0110e24
hash87165a7e0f2c639ea1c0ceb2e9f7ec35
hashc33c0ccbda3c3a3b6ddc99f56a0aa405
hash17118d0d57653fca7b87eb369151702828ae72ad
hash42f7ef7388f1e6214ad6c359b4b8d4c7437f9241
hash4f7d098807be470637cb6926fff5ee0751d8b810
hashb4f8874ba735b15a1ca69a4c12d257d20d8a465c
hashd50a55e361b8584c3b57e741edc8f924753e0d1a
hashf6c23281f2948f2efde3e307b32606dc25deb787
hash01a94f7403e9e8cbe1cab08c4a1730e79e129d4c24193100292f69ed0d1979a9
hash048b2bafb871b586e895a0749ca74a6ebf47d1901b35730097c7a981d868772e
hash04b6a4c58ff8db639125a8277e7a3e8fb00100dd88f299896e24ac0fca928460
hash05d79a474dfe20fbb433806e215d78b31cf8574cd955588fb15cadbf720bf3c7
hash07b8120b557816182ea185e9d20b61445601c20c874761c41c4ab9a12d596886
hash0e415f71530b9d65e9804d8bc3fb12f53d26e6c27919db32c8a2924e437ecaa7
hash107afca60912befade2b9867167135da0a8658e6eb515330b064a9db73a562ac
hash14371c2993a31cdf39a8747a589e1eff365b7711a1d9fdfbc8b5273f397aa29e
hash190f954bcca561f829b56b6e3dfce7a0d9206eab6628ee55a04d0c2c4a45c83a
hash1b3e8dc1f493b8e9bd8cbe1aa948acef8e6aac41f480bff76075327dbe66652b
hash1c0f9d45e5fd0858eed93c36d9fb2ed8fd30a3fc9f0a58c1fa5c38bc32a9cf07
hash1e437075ff88f4ab33447a14683a9304dcb0bdb6cc52f2cff065f404a949e3fb
hash1e63e374ec0b11f361a1b051e4d123e3a2a10404ba81cfff912cbd4c96187297
hash1fe0138168469fb6d3f0f07f848499057d8990879d7ae2cddcd9345faa335dc7
hash21a56e1b10037c794a7eac52d71b063b76b0ff2e92af507d2f8d9f87402b721c
hash244e511e0699fe0b6722244dbe66026597bdf5b4369c9c66f846a3f49b438341
hash253ed51910d7835eafb1a21814f45520809ee6420c0a882b1c2d64487542652a
hash2616e7157017331e10f932ae45bccdde091c724aca5496b069b17fd42f952a4b
hash291700be999ed8d361e9418a3375353c384999afc42271affa7ecc395f137fc0
hash330a579ba3bb727a8c98079d127d6341c2ae8321f164c0b2050ed7d1dee4b588
hash33621b2d12a898e4a78b7e5e1dc59506a9fe3b0fb4fe2ff33c32795ea5b312a6
hash34804cb36531f1871c0a51e5163bfd639b97c7fe4d1604295c326e08e1afadd9
hash368b1fb562d913222a06b6c4ec5c9aa060b1c223a8acbfd747167c75856b16b0
hash36c3affc545476d2c5db29fcf9129849706ae41bd54894b7eb5dfe8c6b670b4b
hash3f97a1c386e14a44e7eb259858adec0bb1546fe59d3199595cb6c3d4d1988470
hash411f6444889d5bdba73cf7735f29a8fa971f80cb9d0464c8475d304bf22e94d5
hash41c8b2709640428746aca1e842d99db237a91f9cf948396303c8b73e90b785a0
hash42fe9d401dd68ddfde23e89a7a4c08125dc0aa121cdfe930589798a92b4262cf
hash453b93029be22447b4bf2925991f72a1b063c753c85e230e44ee1ab382b338ea
hash45ba535ccd969263b74ddc571efe3ae023fba2b9567ac272967f92e799c7f83c
hash48eb1c7586732005ab6da8644e550c7aa75fa382d1cc27e82ed43ca953604078
hash49f323dbe82ec8452b8e205bc7aa0925bc9f48f2b4ebf66e3c54a9e3b08d5be5
hash4dbd1bf6a07b97cb14cd4e2d78d09bc3561f225b64f99dc40774959e6bd9de21
hash58b4d06da885b9e373516b560d4e8ea87a7281f19bebf547100950e41511d67e
hash5980798820124788c99dbbfa6da0e3a1b8bd5e8f18804a2a0bee6d0bc119c685
hash5afbfd477f803d1b0de651c1a16ffb7c698ba4033258276b8e19bfa749b3ffb5
hash5bba8e7b6f31b3bdd2db9562b327e5e464867aeb436c268957ecee9690db181d
hash5c569c68ec4085607b7c23854105a9255dd4290c8ed43f1d95141f77db4e4781
hash5c983b71d035b05aba30778804bd6a2db6a9e00b1e186083813cf6ae513f89f6
hash64c6bfb31a340464a99acb4c51680070e470ca649ff29f5db26954bf13963b26
hash6669f4a455f5c71667f5f8b0e0d627f1398e15112e08277205a883487c189603
hash6bf52b79adbd2b79118700810b8437e2ec2e5e19d599e4e068c8f6f0d76ffc1a
hash705b51c3ccd0bd375a65fa1e80acfef80709b50b2a7d54b487309f49e9a92f11
hash70da9f738fcc760986e0ed4f76f84800d3a038f672c64683a1d5323043da76e9
hash7270dfd6bd579283f4f2cb5654de644491d29812109ae51a71886241cb824395
hash7377c7e3daa3c0d3cfd941c6cb0e27271dd2acbc0737c472b609861b0bf44a5f
hash76e60c2bad2d4ff20845dc9b4fc969fda6be34531ead2e53568b917fc815ae36
hash780ea1c97bbfe745628415aa0049c9febfcf56857a3482e910289ff229e6b7f5
hash7abafcb21b1f7fd4c07b54c3ca99912caaacfc0e8e7330631d62247faede6ada
hash7b89423831873906aa3f28507d1adbcca92b37dbb8a9be4f2d753ebc31467f33
hash7c5f964dda057e8f5bc7f81204bfb3f607191e7250cc60eb0c0fd69ee83f62c2
hash809f4ffef71ab43d692d4fececf1dfefffb0854ae1f15486960b1c198c47c69f
hash84147b1bd16218d165b5fc6b72040a69f10fdc9c654ca056e997cec18638b4ff
hash87d493b325177b038f068819b9efbdaf7596e252cc0cdc421b831226e9e20500
hash89b0f2496b6200d93e1734bf586bcf67473e0437a3301403e6708f58ade9cbe6
hash8a1b2bee78a30f2f119a37a0e024b47fb21572f6f7e02444302889fc1bd75686
hash8e7241ba98618ccb4ca015f3673704a8df9cd8de5aa2e8a287e565479755567b
hash90588fa7721cc3a381ec2353299beeb9918766ee38cfbf95bac45e15ef84d81c
hash90a81e6dd69c7f01bbd6bf74e259a1374bfe362bd23445532cf8d044b9739f8b
hash9304ff7136c030896973b0192c3ff02d47daaae9aa04db80a980df5c8eaffd91
hash943964e8eec89f1b8cb16c0cb813e0253529f47b60b2ecdef5afb4b0abd0d511
hash94a7a0ad7ba79bccbdbfd542269b20fae67df35e05537106e91aed6f2553d088
hash9a5685effadb8c63cea8b14115402ad3cfe721984b68726f8afd4f4b38e00a8b
hash9b3a0f109f96dbc74f65cf464cdc92760c1aaec1cda55d5bf39e6359bebbfedf
hash9cc1657fa9f056a7b34009c71d376f9af41e3b2505e0e3ecca536c806c5eeda4
hasha2cca39a4bcd12b6213334d7bc7cfced07636d24a760b7a8e39f05b85bf86caf
hasha3730e2dbcaf2bd3dea2c57c945175480577fe00ed5ece7a16f53fc2b2a36869
hasha8020170bc2d83cc7cdf86e1b729a8874d287d1c5ba4d9515bf45b04a1558b7a
hasha8cd019b2e762ac277a282eac9dc4507ab1fd81d47b37d0d404469a95f0be4a3
hashabfb7c3c3ea828bf85874c596cac17770668abb28734cbeec67dc8c958afd340
hashaf339fc0bc2ac4f7618021c9560586164d55c8aa5fa1d1ac740e30739c0ff425
hashb3c7b3bf625fdce478c0e5def4ab43f8d9e427dfacac7d37f143b3aae0050118
hashb432adc819e6b5b65004956929dc843cf4cee3ff6dc54687d50268d36ba6a81f
hashb5a97bc726b26c05d76eb6c51505d1e3fe18eeb7177e2be25854e6d84bda7a02
hashb5e59c233b825cceaf03b8e902ebdc4d608a3c3d0ee35a092ef8c17fcb48e6f7
hashb6fb6849c14dddef78c58c62878d3c67f85f81c663a3614992eda616cf36f25c
hashb82710fc1422c5d94c68999e4fa9f90bf49ec7927636eb12be5933ef0690f354
hashb9866a44469d7855d114ddfc1b9bdad347ddec6dfcd5c4878367580e40be87df
hashb9caa844b3d72842f37a57dffc25df3fe1f6083f93295c2fbed0b0281c2652c3
hashb9f5dc18641151bf70bab31f2acd3409bc149ca8ff9fcb4edd8e20c0311157bd
hashba3aed3af58569b8bf6bafbd360aa73bc777e81ee2783b7b0dcb956ea6b82df0
hashbccd81dc5e2c8eafbf8062561b40f77d63c9f498bd20723d9cd68e1526171b79
hashc025ff463278744795798abc7ed404f38cf167a447cbd4c0fde7f9a4b2dd0ccc
hashc09dffd32f233b9d65fe73432cfa29c1de9ea56cfd2f42b985f5e0cccfc0aa4f
hashc1c5e249919865658403854397a6b62593ee6ab99f4a20ea8ae1e03f1fac5e71
hashc2a0e65177b941424183f97329fa78bd28696aa928e3a26b7a58088e44e3e4f6
hashc35ec5aea53b2591e7ee8cf89da86c7a44ca1f333b206c8f33b078c8ddbe4fa9
hashc52f4f652442ff142c00989e919f43387fb4779964fadc458ec80886727e55be
hashc64a9e869ad8b210338e462db7bbb9de8c1288a9de3cecc9437666d75821429c
hashc75d16ef197ddc7241abc712ccb7981ca7817f5761f9f8f986fd8b9fb7036256
hashca4e3ab9ea7b85ba81e0141fee19c67d91832155a11c0b378e58749010ff243b
hashcab6a14f345a6a8404160825d91240ba24c6dccaca6b90da096f05406fcb4935
hashcd58d6d9065c112293f15ae8bbd2002e88f258e8bee38297903d1ca9025d05a6
hashcd875cd6c18697b401e0ed103e1d9a5f2d047ec22fa2b772fe3c4dfec6952151
hashd0141a341f816d3493919524be6e025ccbb04f114a7789d982d35b40b0f7ba63
hashd2a9a3fdf016e9f0f32671d2dfdfe5fa6f66541822d6c0278ccf8ce9eba94db8
hashdab22465284356186a3de1ea470f2721e0ac18a84a072ae7dd83f06ca3efb25b
hashde5022893af502a25ae5f37cfa80783df798d578bb5d69facfd631055cd0f2b5
hashe3c943ad9ff6a43c88b7d977f207b85c8c2cfd0c69d582e748cf58419d5bc188
hashe899206a07b322cb69f659a112fd508911bd92be40cfcef4773fcf8b43ce93f9
hashe95d9c7b29714bb4c880c3417707b2f3da9ad52f65bcf288baa27dd2c8a54c9a
hashec513db1dcd045444fb7282f382786d91ed3357d254797afacec8b7bab1f5070
hashecb7133e5c2338a74f1f9e836edcb9218a82dcfc83c85cec8f49903246783e48
hashee2385867241917960d21cc66b9c58aab8a62d2b203f725458771b3ee7794c80
hashee726c64a82244cb65a6a0a768e5fe7032cb5d0897296418ce91f3b561726586
hashef9456ada1d93e7cfc1750be1afd68807d532b6e893edd5ad79f016affd29dd0
hashf010ec8d2ab7b702870ee029aec16c0fdfe64a40f872f36dcb94ae7bc62a4638
hashf1414ace7527119aa69ea6c18de4d3ae073a306c9c3d63cd1d279059a5077bc4
hashf41538620ce33c25984032ddcfa339bd1e0dd6b4e7c97688dd7bebb310837716
hashf5d72181c6b7b8054244a40e6ade96fbb2d6968a132fddee082846b8ca4dc102
hashf74fac3e5f7ebb092668dc16a9542799ccacc55412cfc6750d0f100b44eef898
hashf966b7fa2ad4efc87cebb2fe2ac1fcbb21ef22b945dbd44aea9706791537b671
hashf9a2c3d1b3244b0f38601e26f36d46b8d93b7b3df5e6fd1703e7c5afed8375b9
hashfab53f1bceaeedb7f84a031346a0ef840328cd28aeb984e34f2434a9d3475237
hashfdb7373fdcdb59b744e5b4e8369a2ba1c210449aa63dccde3f3546c790701804
hashff2933aa3eb4b43ad93e798feec1d3699ce7b75497ed893942e742b3d2514b67

Threat ID: 689c69d2ad5a09ad00406958

Added to database: 8/13/2025, 10:32:50 AM

Last enriched: 8/13/2025, 10:47:54 AM

Last updated: 8/17/2025, 9:09:32 AM

Views: 9

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats