Cisco Talos has uncovered an ongoing malicious campaign active since December 2025, targeting organizations in the Czech Republic with a newly discovered botnet dubbed "PowMix." The malware is typically delivered via phishing emails containing ZIP archives with malicious LNK files. Once executed, PowMix utilizes a multi-stage PowerShell loader that bypasses AMSI and executes the payload directly in memory, showing tactical similarities to the previous ZipLine campaign, including the use of Heroku for command-and-control (C2) infrastructure.
PowMix is designed for reconnaissance and remote code execution, employing sophisticated evasion techniques such as randomized beaconing intervals and URL paths that mimic legitimate REST API calls. It maintains persistence through Windows scheduled tasks and uses unique identifiers based on the victim machine's ProductID to generate bot IDs. The malware also features a self-update mechanism for C2 domains and can adopt the host's proxy settings to blend in with legitimate network traffic.
Top comments (0)