PowMix botnet targets Czech workforce

Cisco Talos identified a new botnet campaign named PowMix targeting Czech organizations across HR, legal, and recruitment sectors since December 2025. The attack utilizes phishing emails containing malicious ZIP files with LNK shortcuts to trigger PowerShell loaders. These loaders employ AMSI bypass techniques to execute the PowMix payload directly in memory, evading endpoint detection. Command-and-control communications mimic legitimate REST API URLs using randomized beaconing intervals and abused Heroku cloud infrastructure. While tactical overlaps exist with the previous ZipLine campaign and MixShell malware, the attacker's ultimate intent remains unknown. Organizations should enhance email filtering, monitor PowerShell activity, and block unauthorized cloud service access to mitigate risks associated with this evolving threat landscape targeting Central European workforces.

Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.”

Cisco Talos identified a new botnet campaign named PowMix targeting Czech organizations across HR, legal, and recruitment sectors since December 2025. The attack utilizes phishing emails containing malicious ZIP files with LNK shortcuts to trigger PowerShell loaders. These loaders employ AMSI bypass techniques to execute the PowMix payload directly in memory, evading endpoint detection. Command-and-control communications mimic legitimate REST API URLs using randomized beaconing intervals and abused Heroku cloud infrastructure. While tactical overlaps exist with the previous ZipLine campaign and MixShell malware, the attacker's ultimate intent remains unknown. Organizations should enhance email filtering, monitor PowerShell activity, and block unauthorized cloud service access to mitigate risks associated with this evolving threat landscape targeting Central European workforces. Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.” Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.” PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections. PowMix embeds the encrypted heartbeat data along with unique identifiers of the victim machine into the C2 URL paths, mimicking legitimate REST API URLs. PowMix has the capability to remotely update the new C2 domain to the botnet configuration file dynamically. Talos observed a few tactical similarities of the current campaign with the ZipLine campaign, including the payload delivery mechanism and the misuse of the legitimate cloud platform Heroku for C2 operations. Victimology Talos observed that an attacker targeted Czech organizations across various levels, based on the contents of the lure documents used by the attacker in the current campaign. Impersonating the legitimate EDEKA brand and authentic regulatory frameworks such as the Czech Data Protection Act, the attacker deploys decoy documents with compliance-themed lures, potentially aimed at compromising victims from human resources (HR), legal, and recruitment agencies. In the lure documents, the attacker also used compensation data, as well as the legitimate legislative references, to enhance the authenticity of these decoy documents and to entice the job aspirants across diverse sectors like IT, finance, and logistics. Figures 1 (left) and 2 (right). First pages of two decoy documents. TTPs overlaps with the ZipLine campaign Talos observed a few tactical similarities employed in the current campaign with that of the ZipLine campaign, reported by researchers from Check Point in August 2025. In the current campaign, the PowMix botnet payload is delivered via an LNK triggered PowerShell loader that extracts it from a ZIP archive data blob, bypasses AMSI, and executes the decrypted script directly in memory. This campaign shares tactical overlaps with the older ZipLine campaign (which deployed the MixShell malware), including identical ZIP-based payload concealment, Windows-scheduled task persistence, CRC32-based BOT ID generation, and the abuse of “herokuapp.com” for command-and-control (C2) infrastructure. Although there are overlaps in the tactics, the attacker’s final payload was unobserved, and the intent remains unknown in this campaign. Attack summary Figure 3. Attack summary flow chart. The attack begins when a victim runs the Windows shortcut file contained within the received malicious ZIP file, potentially through a phishing email. This shortcut file triggers the execution of an embedded PowerShell loader script, which initially creates a copy of the ZIP file along with its contents in the victim's “ProgramData” folder. Subsequently, it loads the malicious ZIP file, extracts, and executes the embedded PowMix botnet payload directly in the victim's machine memory and starts to communicate with the botnet C2. PowerShell loader executes PowMix in memory The first stage PowerShell script functions as a loader, and its execution routine is designed to bypass security controls and deliver a secondary payload. It begins by defining several obfuscated variables, including file name of the malicious ZIP file that was likely received via a phishing email. Then, the script dynamically constructs paths to the folders such as “ProgramData” and the user’s “Downloads” folder to locate this ZIP file. Once the ZIP file is found, it extracts the contents to the “ProgramData”folder, effectively staging the environment for the next phase of the attack. Figure 4. Excerpt of the deobfuscated PowerShell Loader main function. To evade detection, the script employs an AMSI (Antimalware Scan Interface) bypass technique. It uses a...