The Reveal Platform
Intel Name: Malvertising campaign leads to ps1bot, a multi-stage malware framework
Date of Scan: August 13, 2025
Impact: Medium
Summary: An ongoing 2025 malvertising campaign is delivering a multi-stage malware framework dubbed PS1Bot, developed using PowerShell and C#. The malware supports in-memory execution, persistence, and modular capabilities including info-stealing, keylogging, and screen capturing. It minimizes forensic artifacts by avoiding disk writes. PS1Bot shows strong similarities to the AHK Bot malware family and overlaps with past Skitnet-related activity and malvertising campaigns in both code and infrastructure. The campaign has remained highly active with frequent updates and new samples.
