Malware descriptions

Pbot: evolving adware

The adware PBot (PythonBot) got its name because its core modules are written in Python. It was more than a year ago that we detected the first member of this family. Since then, we have encountered several modifications of the program, one of which went beyond adware by installing and running a hidden miner on victim computers:

Miner code installed through PBot

Two other versions of PBot we detected were restricted to the goal of placing unwanted advertising on web pages visited by the victim. In both versions, the adware initially attempts to inject a malicious DLL into the browser. The first version uses it to run JS scripts to display ads on web pages, the second — to install ad extensions in the browser. The latter is the more interesting of the two: developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation. Another distinctive feature of this Pbot variation is the presence of a module that updates scripts and downloads fresh browser extensions.

Throughout April, we registered more than 50,000 attempts to install PBot on computers of users of Kaspersky Lab products. The following month this number increased, indicating that this adware is on the rise. PBot’s target audience is mainly in Russia, Ukraine, and Kazakhstan.

Geography of infection attempts

Distribution methods

PBot is generally distributed through partner sites whose pages implement scripts to redirect users to sponsored links.
Here is the standard PBot propagation scheme:

  1. The user visits the partner site.
  2. When any point on the page is clicked, a new browser window pops up that opens an intermediate link.
  3. The intermediate link redirects the user to the PBot download page, which is tasked with downloading and running the adware on the victim computer by hook or by crook. The following is a section of code from one such page:

    Code of a page propagating PBot

  4. An HTA file is downloaded. On startup this file downloads the PBot installer.

    PBot propagation chain

Operating logic

PBot consists of several Python scripts executed in sequence. In the latest versions of the program, they are obfuscated using Pyminifier.

Obfuscated script code

In the new versions of PBot, modules are executed according to the following scheme:

PBot installation

  1. The source file *.hta downloads an executable file, which is the NSIS installer of PBot, to %AppData%.
  2. The installer drops a folder with the Python 3 interpreter, Python scripts, and a browser extension into %AppData%.
  3. Using the subprocess library, the script adds two tasks to Windows Task Scheduler. The first is tasked with executing when the user signs into the system, while the second runs daily at 5:00. In addition, the winreg library is used to write the script to the autoloader.
  4. The script runs, which handles the update of PBot scripts and the download of new browser extensions.
  5. Next, checks whether the following processes are active:
    • browser.exe
    • chrome.exe
    • opera.exe
  6. If the processes are found, the DLL-generating script is started. The resulting DLL is injected into the launched browser and installs the ad extension.

    Writing the DLL to the browser process memory and executing the library

The browser extension installed by PBot typically adds various banners to the page, and redirects the user to advertising sites.

PBot result: Pop-up window with an ad clip on


In pursuit of profit, adware owners often resort to installing their products on the sly, and PBot developers are no exception. They release new versions (and update them on user computers), complicating their obfuscation to bypass protection systems.
Kaspersky Lab solutions detect PBot with the following verdicts:


Pbot: evolving adware

Your email address will not be published. Required fields are marked *



APT trends report Q1 2024

The report features the most significant developments relating to APT groups in Q1 2024, including the new malware campaigns DuneQuixote and Durian, and hacktivist activity.

Subscribe to our weekly e-mails

The hottest research right in your inbox