PS1Bot Malware Campaign Uses Malvertising for Multi-Stage In-Memory Attacks
Summary
Hide β²
Show βΌ
A new malvertising campaign has been discovered that deploys PS1Bot, a multi-stage malware framework designed for stealthy, in-memory attacks. PS1Bot features a modular design to perform various malicious activities, including information theft, keylogging, and establishing persistent system access. The campaign has been active since early 2025, leveraging malvertising and SEO poisoning to deliver the malware. PS1Bot shares technical overlaps with AHK Bot and has been linked to previous ransomware campaigns involving Skitnet (Bossnet). The malware's modular nature allows for flexible and rapid deployment of updates or new functionalities. Google has also announced improvements in detecting invalid traffic (IVT) using AI systems powered by large language models (LLMs).
Timeline
-
13.08.2025 18:46 π° 1 articles Β· β± 1mo ago
PS1Bot Malware Campaign Discovered Using Malvertising for In-Memory Attacks
A new malvertising campaign has been identified that deploys PS1Bot, a multi-stage malware framework designed for stealthy, in-memory attacks. The campaign has been active since early 2025, leveraging malvertising and SEO poisoning to deliver the malware. PS1Bot features a modular design to perform various malicious activities, including information theft, keylogging, and establishing persistent system access. The malware shares technical overlaps with AHK Bot and has been linked to previous ransomware campaigns involving Skitnet (Bossnet).
Show sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks β thehackernews.com β 13.08.2025 18:46
Information Snippets
-
PS1Bot is a modular malware framework designed for stealthy, in-memory execution.
First reported: 13.08.2025 18:46π° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks β thehackernews.com β 13.08.2025 18:46
-
PS1Bot can perform information theft, keylogging, reconnaissance, and establish persistent system access.
First reported: 13.08.2025 18:46π° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks β thehackernews.com β 13.08.2025 18:46
-
The campaign has been active since early 2025, using malvertising and SEO poisoning for propagation.
First reported: 13.08.2025 18:46π° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks β thehackernews.com β 13.08.2025 18:46
-
PS1Bot shares technical overlaps with AHK Bot, previously used by threat actors Asylum Ambuscade and TA866.
First reported: 13.08.2025 18:46π° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks β thehackernews.com β 13.08.2025 18:46
-
The malware is linked to previous ransomware campaigns involving Skitnet (Bossnet).
First reported: 13.08.2025 18:46π° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks β thehackernews.com β 13.08.2025 18:46
-
The initial infection vector involves a compressed archive delivered via malvertising or SEO poisoning, containing a JavaScript payload.
First reported: 13.08.2025 18:46π° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks β thehackernews.com β 13.08.2025 18:46
-
The PowerShell script executed by the JavaScript payload contacts a C2 server to fetch additional modules.
First reported: 13.08.2025 18:46π° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks β thehackernews.com β 13.08.2025 18:46
-
Modules include antivirus detection, screen capture, wallet grabber, keylogger, information collection, and persistence.
First reported: 13.08.2025 18:46π° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks β thehackernews.com β 13.08.2025 18:46
-
Google has improved IVT detection using AI systems powered by large language models, reducing IVT by 40%.
First reported: 13.08.2025 18:46π° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks β thehackernews.com β 13.08.2025 18:46
Similar Happenings
Resurfaced ChillyHell macOS Backdoor Discovered
A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.
MostereRAT Malware Campaign Targets Japanese Windows Users
A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.
TAG-150 Expands Operations with CastleRAT, a New Remote Access Trojan
TAG-150, a threat actor behind the CastleLoader malware-as-a-service (MaaS) framework, has developed a new remote access trojan (RAT) named CastleRAT. This malware, available in both Python and C variants, is designed to collect system information, execute commands, and download additional payloads. CastleRAT has been in development since March 2025 and is part of a multi-tiered infrastructure used by TAG-150. The malware has been distributed through phishing attacks, fraudulent GitHub repositories, and malicious websites advertising fake software. The C variant of CastleRAT includes advanced features such as keystroke logging, screenshot capture, and cryptocurrency clipper functionality. The Python variant, also known as PyNightshade, is tracked by eSentire as NightshadeC2. Recent iterations of the C variant have removed certain data collection features, indicating ongoing development. CastleRAT is deployed using a .NET loader that employs UAC Prompt Bombing to bypass security protections. The malware has been observed in various campaigns distributing secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various malware families. CastleLoader has been used in over 1,600 attacks, with a 28.7% success rate, targeting critical infrastructure, including U.S. government agencies. CastleLoader has also been linked to a Play Ransomware attack against a French organization. TAG-150 operates with a limited user base, promoting its services within closed circles to avoid detection.
Phishing campaign using SVG files to deploy Base64-encoded pages
A new malware campaign has been identified using Scalable Vector Graphics (SVG) files to deploy phishing pages. The SVG files, distributed via email, impersonate the Colombian judicial system and execute a JavaScript payload to inject a Base64-encoded HTML phishing page. This page mimics an official government document download process while downloading a ZIP archive in the background. The campaign has been active since at least August 14, 2025, and includes 523 unique SVG files that have evaded antivirus detection. The campaign is part of a broader trend where attackers are targeting macOS users with information stealers like Atomic macOS Stealer (AMOS). This stealer can exfiltrate a wide range of sensitive data, including credentials, browser data, and cryptocurrency wallets. The attackers use cracked software and ClickFix-style tactics to lure users into infecting their systems, bypassing macOS's Gatekeeper protections.
AI-Powered Ransomware 'PromptLock' Under Development
A new AI-powered ransomware strain named 'PromptLock' has been discovered by ESET researchers. This ransomware uses an AI model to generate scripts on the fly, making it difficult to detect. The malware is currently in development and has not been observed in active attacks. It is designed to exfiltrate files, encrypt data, and potentially destroy files. The ransomware was uploaded to VirusTotal from the United States and is written in the Go programming language, with variants for Windows, Linux, and macOS systems. The Bitcoin address associated with PromptLock appears to belong to Satoshi Nakamoto. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine.