A malware campaign utilizing malvertising has been distributing PS1Bot, a sophisticated multi-stage framework implemented in PowerShell and C#. PS1Bot features modular design, enabling information theft, keylogging, reconnaissance, and persistent system access. The malware minimizes artifacts and uses in-memory execution techniques for stealth. Active since early 2025, PS1Bot's information stealer targets cryptocurrency wallets and employs wordlists to identify files containing passwords and seed phrases. The campaign overlaps with previously reported Skitnet activities and uses similar C2 infrastructure. Delivery involves compressed archives with obfuscated scripts, leading to PowerShell modules for antivirus detection, screen capture, data theft, keylogging, and system information collection. Persistence is established through startup directory manipulation.