The first version of the PsiXBot malware was spotted in mid-2017, after which it has evolved significantly. This malware is notorious for logging keystrokes and harvesting browser credentials.

Version 1.0.3, the latest known PsiXBot malware has been observed to host a sextortion module and a new fast-flux infrastructure. This version uses Google’s DNS over HTTPS (DoH) service to obtain IP addresses for the command and control domains.

This malware is currently being dropped as a payload from the Spelevo exploit kit. It is also known to spread via phishing emails.