New “PS1Bot” Malware Campaign Uses Malvertising to Deliver Multi-Stage, In-Memory Attacks

Advisory ID: NCC-CSIRT-2025-011

Summary: 

Security experts have discovered an ongoing scam where fake online ads trick people into downloading bogus software. Instead of the real program, they get PS1Bot, a hidden tool that runs mostly in memory, so it is harder to detect. Once installed, it can stay on the computer, steal information, record keystrokes, take screenshots, spy on activity, and give hackers long-term remote access. This attack has been active all through 2025 and is still happening. 

Damage/Probability: High/Critical

Product(s): 

Windows-based Devices

Version(s): 

All version of Windows endpoints where users browse the web and can execute PowerShell

Platform(s): 

Windows OS

Description: 

Hackers are running an online ad scam where fake ads appear in search results. These ads lead people to websites that appear to offer popular software, but the downloads are infected.

When someone installs the fake program, a hidden tool called PS1Bot secretly runs in the background without leaving obvious files on the computer, making it harder for antivirus software to spot.

Once inside, PS1Bot can:

• Stay on the computer even after a restart.
• Steal saved passwords, browser data, and files.
• Record every key you press and take screenshots.
• Scan the computer and network to learn more about the target.
• Allow hackers to control the computer from far away and install other tools later.

Because it works mostly in memory and can change what it does over time, it is very hard to detect. This attack has been going on all through 2025, and it is still active. 

Impacts: 

1. Theft of sensitive information, including credentials and corporate data.
2. Potential foothold for ransomware or broader network compromise.
3. Increased risk where PowerShell execution is unrestricted and ad filtering is absent.

Solutions: 

• PS1Bot spreads through fake ads; stop it with technical defences and user awareness (education).
• Avoid clicking suspicious ads.
• Do not install software via ads; only install software from pre-approved sources (vendor portals, package managers, internal repositories).
• Only download software from official websites.
• Disable third-party cookies where possible; limit ad exposure using enterprise controls; enforce safe-browsing features.
• Block risky scripts like PowerShell if you do not need them.

• Treat malvertising/SEO-poisoning as a primary initial-access vector in phishing programs.

References:

• https://blog.talosintelligence.com/ps1bot-malvertising-campaign/

• https://thehackernews.com/2025/08/new-ps1bot-malware-campaign-uses.html

• https://undercodenews.com/malvertising-menace-ps1bot-malware-campaign-uncovered-in-2025/

• https://advisory.eventussecurity.com/advisory/malvertising-campaign-delivers-multi-stage-ps1bot-stealer-framework/

• https://nubetia.com/new-ps1bot-malware-campaign-leverages-malvertising-for-multi-stage-in-memory-attacks/

• https://demandteq.com/new-ps1bot-malware-campaign-exploits-malvertising-for-stealthy-multi-stage-attacks/