A modular malware framework dubbed PS1Bot has been spreading in an “extremely active” malvertising campaign since early 2025, Cisco Talos reported Tuesday

The malicious PowerShell and C# framework facilitates multi-stage malware delivery through the follow-on deployment of PowerShell modules, minimizing forensic artifacts on the disk by enabling in-memory execution.

PS1Bot is spread via compressed archives downloaded from clicking on web advertisements, which are further promoted through the use of search engine optimization (SEO) poisoning.

The names of the archives correspond to SEO keywords users may be likely to search, such as “chapter 8 medical benefit policy manual,” “zebra gx430t manual” and “kosher food list.”

The archives contain an obfuscated downloader titled “FULL DOCUMENT.js” that retrieves the next stage of the attack, a JScript scriplet that performs initial setup for the PS1Bot framework.

The JScript writes and executes a PowerShell script that establishes a connection to the attacker’s command-and-control (C2) server and periodically attempts to retrieve and execute any additional PowerShell modules sent by the attacker.

Different PowerShell modules discovered by Cisco Talos include an antivirus detection module, a screen capture module, a wallet grabber, a keylogger, an information collector for basic system information and a persistence module that ensures the framework continues working after system reboots.

The antivirus detection module retrieves a list of installed antivirus products and sends it in the parameters of an HTTP GET request to the C2 server. The screen capture module takes screenshots, creates BMP images, converts and stores them as JPEGs and then encodes them with Base64 before transmitting them to the C2 in an HTTP POST request.

The grabber module searches for sensitive information from a list of web browsers, browser extensions, cryptocurrency wallets and multi-factor authentication applications. It also uses hardcoded lists of keywords to search for files containing potential passwords or cryptocurrency wallet seed phrases.

The stolen information is compressed and sent in an HTTP POST request to the C2 server, or in the parameters of an HTTP GET request, for wallet seed phrases. The keylogger collects keystrokes, mouse activity and clipboard contents and transmits them in an HTTP POST request.

The persistence module creates a LNK file in the Startup directory that points to a PowerShell script, which continues the C2 polling activity whenever the infected machine starts up after a reboot. Cisco Talos also believes other modules likely exist that can be deployed at any time, with PS1Bot providing flexible and stealthy access to the target’s system.