EXECUTIVE SUMMARY:
A highly stealthy malvertising campaign delivers a multi-stage malware framework dubbed PS1Bot through disguised ads on search engines or web pages. The initial lure is a compressed archive, often named to appeal to search traffic—such as financial manuals or forms—deployed via malvertising tactics. Within that archive resides a single FULL DOCUMENT.js downloader, which uses obfuscated VBScript to retrieve a JScript stage from a malicious server. That script chain then stages and executes modular payloads in-memory, avoiding disk artifacts. The victim systems, primarily Windows endpoints with scripting capabilities, are compromised through these malicious downloads. The business impact is significant: unauthorized access, information theft (including cryptocurrency wallet data), keylogging, screen capture, and persistence—all conducted under a highly evasive execution model, increasing risk of undetected intrusions and long-term compromise.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A highly stealthy malvertising campaign delivers a multi-stage malware framework dubbed PS1Bot through disguised ads on search engines or web pages. The initial lure is a compressed archive, often named to appeal to search traffic—such as financial manuals or forms—deployed via malvertising tactics. Within that archive resides a single FULL DOCUMENT.js downloader, which uses obfuscated VBScript to retrieve a JScript stage from a malicious server. That script chain then stages and executes modular payloads in-memory, avoiding disk artifacts. The victim systems, primarily Windows endpoints with scripting capabilities, are compromised through these malicious downloads. The business impact is significant: unauthorized access, information theft (including cryptocurrency wallet data), keylogging, screen capture, and persistence—all conducted under a highly evasive execution model, increasing risk of undetected intrusions and long-term compromise.[emaillocker id="1283"]
PS1Bot employs a multi-stage deployment model combining PowerShell and C#. The initial stage is a .zip archive—delivered via SEO-poisoned or malvertising channels—containing a downloader script (FULL DOCUMENT.js). This script contains obfuscated VBScript that retrieves a JScript payload from the attacker’s server and executes it. That second-stage script delivers in-memory modules to the compromised host without writing them to disk, reducing detectable artifacts. The modular design allows for deployment of capabilities such as credential and wallet exfiltration (via embedded wordlists), keylogging, screen capture, reconnaissance, and persistent backdoor techniques. The framework closely resembles previously documented toolkits like AHK Bot, sharing code and C2 infrastructure, indicating potential reuse or convergence in design. Persistent access is maintained via in-memory execution and stealth delivery, while C2 communications (though not deeply detailed in the blog) are implied through module staging and exfiltration functions. By leveraging both interpreted and compiled languages and eliminating on-disk payloads, PS1Bot significantly complicates detection and attribution.
PS1Bot’s observed impact includes covert remote access, data theft—including crypto wallet credentials—and module-based surveillance like keylogging and screen capture. Its stealth-centric chain—from malvertising delivery through entirely in-memory execution—raises serious concerns about detection and containment in typical enterprise environments. The modular, multi-stage architecture shows how modern malware frameworks can be both adaptable and stealthy, combining dynamic script stages with compiled modules. This campaign underscores a broader threat trend: the evolution of malvertising from opportunistic delivery to a vector for highly tailored, persistent malware frameworks. The recurring use of obfuscated downloaders, script-only execution, and in-memory payloads signals increased. Within the present threat landscape, PS1Bot exemplifies how adversaries leverage user-initiated downloads to deploy advanced malware that sidesteps many traditional defense mechanisms. Organizations reliant on search traffic and script-enabled environments are especially vulnerable to these evolving campaigns.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| T1059.001 | Command and Scripting Interpreter | PowerShell | |
| Defense Evasion | T1027 | Obfuscated/Compressed Files and Information | — |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Collection | T1113 | Screen Capture | — |
| T1056.001 | Input Capture | Keylogging | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Initial Access | E1204 | User Execution |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0013 | Scheduled Tasks |
| Defense Evasion | E1027 | Obfuscated Files/Information |
| F0004 | Disable Security Tools | |
| B0007 | Sandbox Detection | |
| Discovery | E1082 | System Information Discovery |
| Collection | E1113 | Screen Capture |
| E1056 | Input Capture | |
| Command & Control | B0031 | Domain Name Generation |
| Impact | B0018 | Resource Hijacking |
| B0033 | Denial of Service |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]