APT / THREAT GROUP🕵️ ESPIONAGEADVANCED

PS1Bot

3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

According to Cisco Talos, this is multi-stage malware framework, implemented in PowerShell and C#, that possesses robust functionality, including the ability to deliver follow-on modules including an information stealer, keylogger, screen capture collector and more. It also establishes persistence to continue operations following system reboots. The design of this malware framework appears to attempt to minimize artifacts left on infected systems by facilitating the delivery and execution of modules in-memory, without requiring them to be written to disk. Due to similarities in the design and implementation with the malware family AHK Bot, we are referring to this PowerShell-based malware as “PS1Bot.”

Threat Analysis

PS1Bot is a advanced-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of espionage.

The group's espionage-oriented operations suggest a state-sponsored or state-aligned mandate, typically focused on stealing intellectual property, government secrets, or military intelligence. Targets are usually selected for strategic value rather than financial gain.

Classified as an advanced threat actor, PS1Bot likely develops or acquires zero-day exploits, employs custom malware toolchains, and demonstrates long-term persistence capabilities — hallmarks of a well-resourced operation consistent with nation-state backing.

External References

Quick Facts

TypeAPT / Threat Group
Motivation🕵️ espionage
Sophisticationadvanced
Aliases3

Also Known As

Bossnetphp.ps1botPS1Bot

External Intelligence

Malpedia: php.ps1bot

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.