PS1Bot Malware Campaign Using Malvertising for Multi-Stage In-Memory Attacks
Summary
Hide â˛
Show âŧ
A new malvertising campaign has been discovered, distributing PS1Bot, a multi-stage malware framework. PS1Bot uses a modular design to perform various malicious activities, including information theft, keylogging, and establishing persistent access. The malware leverages in-memory execution to minimize forensic traces. The campaign has been active since early 2025, with technical overlaps noted with AHK Bot and Skitnet (Bossnet). The infection begins with a compressed archive delivered via malvertising or SEO poisoning. The archive contains a JavaScript payload that downloads and executes a PowerShell script, which then contacts a command-and-control (C2) server to fetch additional modules. These modules enable functionalities such as antivirus detection, screen capture, wallet data theft, keylogging, and persistence. The campaign is assessed to have connections to previous ransomware-related activities and shares similarities with malware used by threat actors Asylum Ambuscade and TA866.
Timeline
-
13.08.2025 18:46 đ° 1 articles
PS1Bot Malware Campaign Discovered Using Malvertising for Multi-Stage Attacks
A new malvertising campaign has been identified, distributing PS1Bot, a multi-stage malware framework. The campaign has been active since early 2025, using malvertising and SEO poisoning to deliver the initial payload. The malware features a modular design and in-memory execution to perform various malicious activities, including information theft, keylogging, and establishing persistent access. The campaign is linked to previous ransomware-related activities and shares technical overlaps with AHK Bot and Skitnet (Bossnet).
Show sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks â thehackernews.com â 13.08.2025 18:46
Information Snippets
-
PS1Bot is a multi-stage malware framework with a modular design, capable of performing information theft, keylogging, reconnaissance, and establishing persistent access.
First reported: 13.08.2025 18:46đ° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks â thehackernews.com â 13.08.2025 18:46
-
The malware uses in-memory execution techniques to minimize persistent artifacts and forensic trails.
First reported: 13.08.2025 18:46đ° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks â thehackernews.com â 13.08.2025 18:46
-
The campaign has been active since early 2025, using malvertising and SEO poisoning to deliver the initial payload.
First reported: 13.08.2025 18:46đ° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks â thehackernews.com â 13.08.2025 18:46
-
The initial infection vector involves a compressed archive containing a JavaScript payload that downloads and executes a PowerShell script.
First reported: 13.08.2025 18:46đ° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks â thehackernews.com â 13.08.2025 18:46
-
The PowerShell script contacts a C2 server to fetch additional modules, enabling various malicious functionalities.
First reported: 13.08.2025 18:46đ° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks â thehackernews.com â 13.08.2025 18:46
-
PS1Bot shares technical overlaps with AHK Bot, a malware previously used by threat actors Asylum Ambuscade and TA866.
First reported: 13.08.2025 18:46đ° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks â thehackernews.com â 13.08.2025 18:46
-
The campaign is linked to previous ransomware-related activities involving Skitnet (Bossnet) malware.
First reported: 13.08.2025 18:46đ° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks â thehackernews.com â 13.08.2025 18:46
-
The malware includes modules for antivirus detection, screen capture, wallet data theft, keylogging, and persistence.
First reported: 13.08.2025 18:46đ° 1 source, 1 articleShow sources
- New PS1Bot Malware Campaign Uses Malvertising to Deploy Multi-Stage In-Memory Attacks â thehackernews.com â 13.08.2025 18:46
Similar Happenings
ChillyHell macOS Backdoor Resurfaces with New Capabilities
The ChillyHell macOS backdoor malware, initially observed in 2022, has resurfaced with a new version. This modular backdoor allows attackers remote access and the ability to drop payloads, brute-force passwords, and evade detection. The malware, disguised as an executable applet, was discovered on VirusTotal and had been publicly hosted on Dropbox since 2021. The malware employs multiple persistence mechanisms and communicates over various protocols, making it highly flexible. It can exfiltrate data, drop additional payloads, and enumerate user accounts. Apple has revoked the notarization of the developer certificates associated with the malware. The resurgence of ChillyHell highlights the increasing threat landscape for macOS, emphasizing the need for robust security measures. A new Go-based remote access trojan (RAT) named ZynorRAT has been discovered, targeting Windows and Linux systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration and system enumeration.
MostereRAT Malware Disables Security Tools, Targets Japanese Windows Users
A new malware campaign, tracked as MostereRAT, targets Japanese Windows users with sophisticated evasion techniques. MostereRAT disables antivirus and endpoint defenses, uses an obscure programming language, and abuses legitimate remote access tools to maintain persistent control over compromised systems. The malware's capabilities include privilege escalation, keylogging, data exfiltration, and the creation of hidden administrator accounts. The campaign's long-term objectives and the full extent of its impact remain unclear. MostereRAT employs Easy Programming Language (EPL) to evade detection and uses Windows Filtering Platform (WFP) filters to block security telemetry. The malware deploys legitimate remote access tools like AnyDesk, TigerVNC, and TightVNC, making it difficult to detect. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools to reduce the attack surface. The malware uses mutual TLS (mTLS) to secure command-and-control (C2) communications and can run as TrustedInstaller, a built-in Windows system account with elevated permissions. MostereRAT can monitor foreground window activity associated with Qianniu - Alibaba's Seller Tool, facilitate RDP logins, and create hidden administrator accounts.
TAG-150 Expands Operations with CastleRAT in Python and C
The threat actor TAG-150, known for CastleLoader malware, has developed a new remote access trojan named CastleRAT. CastleRAT is available in both Python and C variants, and it is used to collect system information, execute commands, and download additional payloads. CastleRAT's development began in March 2025, and it is part of a multi-tiered infrastructure used by TAG-150. The malware is distributed through phishing attacks, fraudulent GitHub repositories, and other methods. The Python variant, also known as PyNightshade, and the C variant have different capabilities. The C variant includes keylogging, screenshot capture, file upload/download, and cryptocurrency clipper functionality. CastleRAT uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. TAG-150 has been active since at least March 2025, using CastleLoader as an initial access vector for various secondary payloads, including remote access trojans, information stealers, and other loaders. TAG-150's operations have targeted critical infrastructure, including U.S. government agencies, and have been linked to a Play Ransomware attack against a French organization. The group's MaaS operation is likely promoted within closed circles, indicating a sophisticated and connected user base. TAG-150 is likely to develop and release additional malware in the near term and expand its distribution efforts.
SVG Files Used to Deploy Phishing Pages in Colombian Judicial System Impersonation Campaign
A malware campaign leveraging SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system has been identified. The SVG files, distributed via email, execute JavaScript payloads to inject phishing pages and download ZIP archives. The campaign involves 523 unique SVG files that have evaded detection by antivirus engines. The earliest sample dates back to August 14, 2025. The campaign highlights the evolving tactics used by threat actors to bypass security measures and target macOS systems with information stealers like Atomic macOS Stealer (AMOS). This campaign also coincides with broader trends in cyber threats targeting macOS and gamers.
GhostRedirector Compromises 65 Windows Servers Using Rungan Backdoor and Gamshen IIS Module
GhostRedirector, a previously undocumented threat cluster, has compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam. The attacks, active since at least August 2024, deployed the Rungan backdoor and Gamshen IIS module. Rungan executes commands on compromised servers, while Gamshen manipulates search engine results for SEO fraud. The threat actor targets various sectors, including education, healthcare, technology, transportation, insurance, and retail, using SQL injection vulnerabilities for initial access. The group is assessed with medium confidence to be China-aligned. The operation involves using PowerShell to download malware tools and exploits like EfsPotato and BadPotato for privilege escalation.