Overview

• PS1Bot has been active since early 2025, distributing via malvertising and SEO poisoning that lure victims with compressed archives embedding JavaScript downloaders.
• Victims’ systems load a PowerShell-based loader that polls command-and-control servers and executes modular payloads in memory, performing functions like keylogging, screen capture and system reconnaissance.
• The grabber module specifically targets web browsers and cryptocurrency wallet extensions with embedded wordlists to locate and exfiltrate wallet seed phrases and passwords.
• Talos observed code and infrastructure similarities to the AHK Bot family and suspected links to Skitnet/Bossnet ransomware operations despite not directly capturing Skitnet binaries.
• Ad networks have introduced LLM-powered invalid-traffic detection that cut IVT by 40 percent, but the campaign remains active, prompting calls for stronger endpoint controls and user vigilance.