The first version of the PsiXBot malware was spotted in mid-2017, after which it has evolved significantly. This malware is notorious for logging keystrokes and harvesting browser credentials.
Version 1.0.3, the latest known PsiXBot malware has been observed to host a sextortion module and a new fast-flux infrastructure. This version uses Google’s DNS over HTTPS (DoH) service to obtain IP addresses for the command and control domains.
This malware is currently being dropped as a payload from the Spelevo exploit kit. It is also known to spread via phishing emails.
How does it attack?
The latest PsiXBot version has a module called ‘StartPorn’ that records material from infected devices.
What to expect
The StartPorn module seems incomplete and is expected to evolve with time. Proofpoint published a detailed analysis of this malware.