Skip to main content

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Medium
Published: Tue Aug 12 2025 (08/12/2025, 21:36:09 UTC)
Source: AlienVault OTX General

Description

A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and uses in-memory execution techniques for stealth. Active since early 2025, PS1Bot's information stealer targets cryptocurrency wallets and employs wordlists to identify files containing passwords and seed phrases. The campaign overlaps with previously reported Skitnet activities and uses similar C2 infrastructure. Delivery involves compressed archives with obfuscated scripts, leading to PowerShell modules for antivirus detection, screen capture, data theft, keylogging, and system information collection. Persistence is established through startup directory manipulation.

AI-Powered Analysis

AILast updated: 08/13/2025, 10:47:54 UTC

Technical Analysis

The PS1Bot malware campaign represents a sophisticated multi-stage threat primarily distributed via malvertising, leveraging deceptive online advertisements to infect victims. PS1Bot is implemented using PowerShell and C#, featuring a modular architecture that allows attackers to deploy various payloads tailored for information theft, keylogging, reconnaissance, and establishing persistent access on compromised systems. The malware employs advanced stealth techniques, including in-memory execution to avoid detection by traditional antivirus solutions and minimize forensic artifacts. The infection chain typically begins with compressed archives containing obfuscated scripts that execute PowerShell modules. These modules perform a range of malicious activities such as antivirus evasion, screen capturing, data exfiltration, keylogging, and system information gathering. Notably, PS1Bot targets cryptocurrency wallets by scanning files with wordlists to locate passwords and seed phrases, indicating a focus on financial theft. Persistence is maintained by manipulating the startup directory, ensuring the malware executes upon system reboot. The campaign has been active since early 2025 and shares infrastructure and tactics with the previously reported Skitnet malware group, suggesting a possible link or evolution. The use of malvertising as a delivery vector increases the attack surface, as it can reach a broad and diverse user base through compromised or malicious advertising networks. The modular design and use of PowerShell and C# enable rapid adaptation and deployment of new capabilities, making PS1Bot a versatile and persistent threat.

Potential Impact

For European organizations, PS1Bot poses significant risks, particularly to entities involved in cryptocurrency transactions, financial services, and sectors with high-value intellectual property or sensitive data. The malware's ability to steal credentials, capture keystrokes, and exfiltrate system information can lead to financial losses, data breaches, and operational disruptions. The stealthy nature of PS1Bot complicates detection and incident response, potentially allowing prolonged unauthorized access and data compromise. Organizations with remote or hybrid work models may be more vulnerable due to increased exposure to malvertising through web browsing on less controlled endpoints. Additionally, the targeting of cryptocurrency wallets aligns with the growing adoption of digital assets in Europe, increasing the potential financial impact. The campaign's use of startup directory persistence and in-memory execution techniques challenges traditional endpoint security measures, necessitating advanced detection capabilities. Furthermore, the overlap with Skitnet infrastructure suggests a persistent threat actor with evolving tactics, increasing the likelihood of continued or expanded attacks targeting European networks.

Mitigation Recommendations

European organizations should implement a multi-layered defense strategy tailored to the specific characteristics of PS1Bot. Key recommendations include: 1) Enhance web filtering and ad-blocking solutions to reduce exposure to malvertising, including the use of DNS filtering and browser security extensions that block malicious ads and scripts. 2) Deploy endpoint detection and response (EDR) tools capable of monitoring PowerShell activity and detecting in-memory execution patterns indicative of PS1Bot modules. 3) Implement strict application control policies to limit execution of unauthorized scripts and binaries, especially those launched from compressed archives or temporary directories. 4) Conduct regular threat hunting focused on indicators of persistence such as suspicious startup directory modifications and anomalous PowerShell commands. 5) Educate users on the risks of malvertising and encourage cautious behavior when interacting with online advertisements and downloading files from untrusted sources. 6) Secure cryptocurrency wallets using hardware wallets or multi-factor authentication to mitigate credential theft risks. 7) Maintain up-to-date threat intelligence feeds and integrate them into security operations to identify and respond to emerging PS1Bot indicators. 8) Employ network segmentation and strict egress filtering to limit data exfiltration pathways. These measures, combined with continuous monitoring and incident response preparedness, will reduce the likelihood and impact of PS1Bot infections.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blog.talosintelligence.com/ps1bot-malvertising-campaign/"]
Adversary
null
Pulse Id
689bb3c9004eca543a36d5fc
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip181.174.164.117
—
ip181.174.164.12
—
ip181.174.164.161
—
ip181.174.164.170
—
ip181.174.164.180
—
ip181.174.164.2
—
ip181.174.164.201
—
ip181.174.164.238
—
ip181.174.164.47
—
ip213.176.113.168
—
ip109.120.179.170
—
ip131.174.164.238
—
ip147.45.45.168
—
ip5.252.153.94
—
ip62.60.178.24
—
ip77.110.116.227
—

Hash

ValueDescriptionCopy
hash1331e12e59aa729531fbfd44ae73fa3d
—
hash18f50c834765bd783de82ff0675a780e
—
hash6dc093e7f5c0986d371b1e22c97d2cab
—
hash7b20f4d5ab79cd5885535954a0110e24
—
hash87165a7e0f2c639ea1c0ceb2e9f7ec35
—
hashc33c0ccbda3c3a3b6ddc99f56a0aa405
—
hash17118d0d57653fca7b87eb369151702828ae72ad
—
hash42f7ef7388f1e6214ad6c359b4b8d4c7437f9241
—
hash4f7d098807be470637cb6926fff5ee0751d8b810
—
hashb4f8874ba735b15a1ca69a4c12d257d20d8a465c
—
hashd50a55e361b8584c3b57e741edc8f924753e0d1a
—
hashf6c23281f2948f2efde3e307b32606dc25deb787
—
hash01a94f7403e9e8cbe1cab08c4a1730e79e129d4c24193100292f69ed0d1979a9
—
hash048b2bafb871b586e895a0749ca74a6ebf47d1901b35730097c7a981d868772e
—
hash04b6a4c58ff8db639125a8277e7a3e8fb00100dd88f299896e24ac0fca928460
—
hash05d79a474dfe20fbb433806e215d78b31cf8574cd955588fb15cadbf720bf3c7
—
hash07b8120b557816182ea185e9d20b61445601c20c874761c41c4ab9a12d596886
—
hash0e415f71530b9d65e9804d8bc3fb12f53d26e6c27919db32c8a2924e437ecaa7
—
hash107afca60912befade2b9867167135da0a8658e6eb515330b064a9db73a562ac
—
hash14371c2993a31cdf39a8747a589e1eff365b7711a1d9fdfbc8b5273f397aa29e
—
hash190f954bcca561f829b56b6e3dfce7a0d9206eab6628ee55a04d0c2c4a45c83a
—
hash1b3e8dc1f493b8e9bd8cbe1aa948acef8e6aac41f480bff76075327dbe66652b
—
hash1c0f9d45e5fd0858eed93c36d9fb2ed8fd30a3fc9f0a58c1fa5c38bc32a9cf07
—
hash1e437075ff88f4ab33447a14683a9304dcb0bdb6cc52f2cff065f404a949e3fb
—
hash1e63e374ec0b11f361a1b051e4d123e3a2a10404ba81cfff912cbd4c96187297
—
hash1fe0138168469fb6d3f0f07f848499057d8990879d7ae2cddcd9345faa335dc7
—
hash21a56e1b10037c794a7eac52d71b063b76b0ff2e92af507d2f8d9f87402b721c
—
hash244e511e0699fe0b6722244dbe66026597bdf5b4369c9c66f846a3f49b438341
—
hash253ed51910d7835eafb1a21814f45520809ee6420c0a882b1c2d64487542652a
—
hash2616e7157017331e10f932ae45bccdde091c724aca5496b069b17fd42f952a4b
—
hash291700be999ed8d361e9418a3375353c384999afc42271affa7ecc395f137fc0
—
hash330a579ba3bb727a8c98079d127d6341c2ae8321f164c0b2050ed7d1dee4b588
—
hash33621b2d12a898e4a78b7e5e1dc59506a9fe3b0fb4fe2ff33c32795ea5b312a6
—
hash34804cb36531f1871c0a51e5163bfd639b97c7fe4d1604295c326e08e1afadd9
—
hash368b1fb562d913222a06b6c4ec5c9aa060b1c223a8acbfd747167c75856b16b0
—
hash36c3affc545476d2c5db29fcf9129849706ae41bd54894b7eb5dfe8c6b670b4b
—
hash3f97a1c386e14a44e7eb259858adec0bb1546fe59d3199595cb6c3d4d1988470
—
hash411f6444889d5bdba73cf7735f29a8fa971f80cb9d0464c8475d304bf22e94d5
—
hash41c8b2709640428746aca1e842d99db237a91f9cf948396303c8b73e90b785a0
—
hash42fe9d401dd68ddfde23e89a7a4c08125dc0aa121cdfe930589798a92b4262cf
—
hash453b93029be22447b4bf2925991f72a1b063c753c85e230e44ee1ab382b338ea
—
hash45ba535ccd969263b74ddc571efe3ae023fba2b9567ac272967f92e799c7f83c
—
hash48eb1c7586732005ab6da8644e550c7aa75fa382d1cc27e82ed43ca953604078
—
hash49f323dbe82ec8452b8e205bc7aa0925bc9f48f2b4ebf66e3c54a9e3b08d5be5
—
hash4dbd1bf6a07b97cb14cd4e2d78d09bc3561f225b64f99dc40774959e6bd9de21
—
hash58b4d06da885b9e373516b560d4e8ea87a7281f19bebf547100950e41511d67e
—
hash5980798820124788c99dbbfa6da0e3a1b8bd5e8f18804a2a0bee6d0bc119c685
—
hash5afbfd477f803d1b0de651c1a16ffb7c698ba4033258276b8e19bfa749b3ffb5
—
hash5bba8e7b6f31b3bdd2db9562b327e5e464867aeb436c268957ecee9690db181d
—
hash5c569c68ec4085607b7c23854105a9255dd4290c8ed43f1d95141f77db4e4781
—
hash5c983b71d035b05aba30778804bd6a2db6a9e00b1e186083813cf6ae513f89f6
—
hash64c6bfb31a340464a99acb4c51680070e470ca649ff29f5db26954bf13963b26
—
hash6669f4a455f5c71667f5f8b0e0d627f1398e15112e08277205a883487c189603
—
hash6bf52b79adbd2b79118700810b8437e2ec2e5e19d599e4e068c8f6f0d76ffc1a
—
hash705b51c3ccd0bd375a65fa1e80acfef80709b50b2a7d54b487309f49e9a92f11
—
hash70da9f738fcc760986e0ed4f76f84800d3a038f672c64683a1d5323043da76e9
—
hash7270dfd6bd579283f4f2cb5654de644491d29812109ae51a71886241cb824395
—
hash7377c7e3daa3c0d3cfd941c6cb0e27271dd2acbc0737c472b609861b0bf44a5f
—
hash76e60c2bad2d4ff20845dc9b4fc969fda6be34531ead2e53568b917fc815ae36
—
hash780ea1c97bbfe745628415aa0049c9febfcf56857a3482e910289ff229e6b7f5
—
hash7abafcb21b1f7fd4c07b54c3ca99912caaacfc0e8e7330631d62247faede6ada
—
hash7b89423831873906aa3f28507d1adbcca92b37dbb8a9be4f2d753ebc31467f33
—
hash7c5f964dda057e8f5bc7f81204bfb3f607191e7250cc60eb0c0fd69ee83f62c2
—
hash809f4ffef71ab43d692d4fececf1dfefffb0854ae1f15486960b1c198c47c69f
—
hash84147b1bd16218d165b5fc6b72040a69f10fdc9c654ca056e997cec18638b4ff
—
hash87d493b325177b038f068819b9efbdaf7596e252cc0cdc421b831226e9e20500
—
hash89b0f2496b6200d93e1734bf586bcf67473e0437a3301403e6708f58ade9cbe6
—
hash8a1b2bee78a30f2f119a37a0e024b47fb21572f6f7e02444302889fc1bd75686
—
hash8e7241ba98618ccb4ca015f3673704a8df9cd8de5aa2e8a287e565479755567b
—
hash90588fa7721cc3a381ec2353299beeb9918766ee38cfbf95bac45e15ef84d81c
—
hash90a81e6dd69c7f01bbd6bf74e259a1374bfe362bd23445532cf8d044b9739f8b
—
hash9304ff7136c030896973b0192c3ff02d47daaae9aa04db80a980df5c8eaffd91
—
hash943964e8eec89f1b8cb16c0cb813e0253529f47b60b2ecdef5afb4b0abd0d511
—
hash94a7a0ad7ba79bccbdbfd542269b20fae67df35e05537106e91aed6f2553d088
—
hash9a5685effadb8c63cea8b14115402ad3cfe721984b68726f8afd4f4b38e00a8b
—
hash9b3a0f109f96dbc74f65cf464cdc92760c1aaec1cda55d5bf39e6359bebbfedf
—
hash9cc1657fa9f056a7b34009c71d376f9af41e3b2505e0e3ecca536c806c5eeda4
—
hasha2cca39a4bcd12b6213334d7bc7cfced07636d24a760b7a8e39f05b85bf86caf
—
hasha3730e2dbcaf2bd3dea2c57c945175480577fe00ed5ece7a16f53fc2b2a36869
—
hasha8020170bc2d83cc7cdf86e1b729a8874d287d1c5ba4d9515bf45b04a1558b7a
—
hasha8cd019b2e762ac277a282eac9dc4507ab1fd81d47b37d0d404469a95f0be4a3
—
hashabfb7c3c3ea828bf85874c596cac17770668abb28734cbeec67dc8c958afd340
—
hashaf339fc0bc2ac4f7618021c9560586164d55c8aa5fa1d1ac740e30739c0ff425
—
hashb3c7b3bf625fdce478c0e5def4ab43f8d9e427dfacac7d37f143b3aae0050118
—
hashb432adc819e6b5b65004956929dc843cf4cee3ff6dc54687d50268d36ba6a81f
—
hashb5a97bc726b26c05d76eb6c51505d1e3fe18eeb7177e2be25854e6d84bda7a02
—
hashb5e59c233b825cceaf03b8e902ebdc4d608a3c3d0ee35a092ef8c17fcb48e6f7
—
hashb6fb6849c14dddef78c58c62878d3c67f85f81c663a3614992eda616cf36f25c
—
hashb82710fc1422c5d94c68999e4fa9f90bf49ec7927636eb12be5933ef0690f354
—
hashb9866a44469d7855d114ddfc1b9bdad347ddec6dfcd5c4878367580e40be87df
—
hashb9caa844b3d72842f37a57dffc25df3fe1f6083f93295c2fbed0b0281c2652c3
—
hashb9f5dc18641151bf70bab31f2acd3409bc149ca8ff9fcb4edd8e20c0311157bd
—
hashba3aed3af58569b8bf6bafbd360aa73bc777e81ee2783b7b0dcb956ea6b82df0
—
hashbccd81dc5e2c8eafbf8062561b40f77d63c9f498bd20723d9cd68e1526171b79
—
hashc025ff463278744795798abc7ed404f38cf167a447cbd4c0fde7f9a4b2dd0ccc
—
hashc09dffd32f233b9d65fe73432cfa29c1de9ea56cfd2f42b985f5e0cccfc0aa4f
—
hashc1c5e249919865658403854397a6b62593ee6ab99f4a20ea8ae1e03f1fac5e71
—
hashc2a0e65177b941424183f97329fa78bd28696aa928e3a26b7a58088e44e3e4f6
—
hashc35ec5aea53b2591e7ee8cf89da86c7a44ca1f333b206c8f33b078c8ddbe4fa9
—
hashc52f4f652442ff142c00989e919f43387fb4779964fadc458ec80886727e55be
—
hashc64a9e869ad8b210338e462db7bbb9de8c1288a9de3cecc9437666d75821429c
—
hashc75d16ef197ddc7241abc712ccb7981ca7817f5761f9f8f986fd8b9fb7036256
—
hashca4e3ab9ea7b85ba81e0141fee19c67d91832155a11c0b378e58749010ff243b
—
hashcab6a14f345a6a8404160825d91240ba24c6dccaca6b90da096f05406fcb4935
—
hashcd58d6d9065c112293f15ae8bbd2002e88f258e8bee38297903d1ca9025d05a6
—
hashcd875cd6c18697b401e0ed103e1d9a5f2d047ec22fa2b772fe3c4dfec6952151
—
hashd0141a341f816d3493919524be6e025ccbb04f114a7789d982d35b40b0f7ba63
—
hashd2a9a3fdf016e9f0f32671d2dfdfe5fa6f66541822d6c0278ccf8ce9eba94db8
—
hashdab22465284356186a3de1ea470f2721e0ac18a84a072ae7dd83f06ca3efb25b
—
hashde5022893af502a25ae5f37cfa80783df798d578bb5d69facfd631055cd0f2b5
—
hashe3c943ad9ff6a43c88b7d977f207b85c8c2cfd0c69d582e748cf58419d5bc188
—
hashe899206a07b322cb69f659a112fd508911bd92be40cfcef4773fcf8b43ce93f9
—
hashe95d9c7b29714bb4c880c3417707b2f3da9ad52f65bcf288baa27dd2c8a54c9a
—
hashec513db1dcd045444fb7282f382786d91ed3357d254797afacec8b7bab1f5070
—
hashecb7133e5c2338a74f1f9e836edcb9218a82dcfc83c85cec8f49903246783e48
—
hashee2385867241917960d21cc66b9c58aab8a62d2b203f725458771b3ee7794c80
—
hashee726c64a82244cb65a6a0a768e5fe7032cb5d0897296418ce91f3b561726586
—
hashef9456ada1d93e7cfc1750be1afd68807d532b6e893edd5ad79f016affd29dd0
—
hashf010ec8d2ab7b702870ee029aec16c0fdfe64a40f872f36dcb94ae7bc62a4638
—
hashf1414ace7527119aa69ea6c18de4d3ae073a306c9c3d63cd1d279059a5077bc4
—
hashf41538620ce33c25984032ddcfa339bd1e0dd6b4e7c97688dd7bebb310837716
—
hashf5d72181c6b7b8054244a40e6ade96fbb2d6968a132fddee082846b8ca4dc102
—
hashf74fac3e5f7ebb092668dc16a9542799ccacc55412cfc6750d0f100b44eef898
—
hashf966b7fa2ad4efc87cebb2fe2ac1fcbb21ef22b945dbd44aea9706791537b671
—
hashf9a2c3d1b3244b0f38601e26f36d46b8d93b7b3df5e6fd1703e7c5afed8375b9
—
hashfab53f1bceaeedb7f84a031346a0ef840328cd28aeb984e34f2434a9d3475237
—
hashfdb7373fdcdb59b744e5b4e8369a2ba1c210449aa63dccde3f3546c790701804
—
hashff2933aa3eb4b43ad93e798feec1d3699ce7b75497ed893942e742b3d2514b67
—

Threat ID: 689c69d2ad5a09ad00406958

Added to database: 8/13/2025, 10:32:50 AM

Last enriched: 8/13/2025, 10:47:54 AM

Last updated: 8/16/2025, 6:47:25 PM

Views: 8

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats