PowMix Botnet Targeting Czech Workforce

The PowMix botnet campaign, active since at least December 2025, is targeting the Czech workforce. The attackers are using compliance-themed lures impersonating legitimate brands such as EDEKA and referencing the Czech Data Protection Act. These lures are distributed via malicious ZIP files, potentially through phishing emails, and aim to compromise victims in HR, legal, and recruitment agencies, as well as job aspirants in IT, finance, and logistics. PowMix employs randomized command-and-control (C2) beaconing intervals and embeds encrypted heartbeat data into C2 URL paths, mimicking legitimate REST API URLs to evade network signature detections. The botnet can dynamically update the C2 domain in its configuration file and abuses the Heroku cloud platform for C2 operations.

Attack Chain

1. The attack begins with a phishing email containing a malicious ZIP file.
2. The victim opens the ZIP file and executes a Windows shortcut (.LNK) file.
3. The .LNK file executes an embedded PowerShell loader script.
4. The PowerShell script creates a copy of the ZIP file and its contents in the victim’s “ProgramData” folder.
5. The PowerShell script bypasses AMSI by setting the amsiInitFailed field to true.
6. The PowerShell script extracts the PowMix botnet payload from the ZIP archive using a hardcoded delimiter (“zAswKoK”).
7. The extracted payload is a secondary PowerShell script that is reconstructed by replacing placeholders.
8. The secondary PowerShell script is executed in memory using Invoke-Expression (IEX), establishing communication with the C2 server on Heroku.

Impact

This campaign targets Czech organizations across various levels, with a focus on HR, legal, and recruitment sectors. If successful, the attacker gains control over the infected machine, potentially enabling data theft, espionage, or further malicious activities. The final payload and ultimate intent of the attackers remain unknown, but the botnet could be used for various purposes, including distributed denial-of-service (DDoS) attacks or as a foothold for lateral movement within the victim’s network.

Recommendation

• Monitor process creation events for PowerShell executing from unusual locations like the ProgramData folder to detect initial execution (see Sigma rule: “Detect PowerShell Executing from ProgramData”).
• Deploy the Sigma rule “Detect AMSI Bypass via Reflection” to identify attempts to disable the Antimalware Scan Interface.
• Monitor network connections for traffic to *.herokuapp.com initiated by unusual processes, which may indicate C2 communication (see IOCs and Sigma rule: “Detect Heroku C2 Communication”).
• Inspect PowerShell command lines for the presence of the Invoke-Expression command, which is used to execute the payload in memory (see Sigma rule: “Detect PowerShell IEX with Suspicious Parameters”).