{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/powmix/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["powmix","botnet","czech-republic","heroku"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe PowMix botnet campaign, active since at least December 2025, is targeting the Czech workforce. The attackers are using compliance-themed lures impersonating legitimate brands such as EDEKA and referencing the Czech Data Protection Act. These lures are distributed via malicious ZIP files, potentially through phishing emails, and aim to compromise victims in HR, legal, and recruitment agencies, as well as job aspirants in IT, finance, and logistics. PowMix employs randomized command-and-control (C2) beaconing intervals and embeds encrypted heartbeat data into C2 URL paths, mimicking legitimate REST API URLs to evade network signature detections. The botnet can dynamically update the C2 domain in its configuration file and abuses the Heroku cloud platform for C2 operations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attack begins with a phishing email containing a malicious ZIP file.\u003c/li\u003e\n\u003cli\u003eThe victim opens the ZIP file and executes a Windows shortcut (.LNK) file.\u003c/li\u003e\n\u003cli\u003eThe .LNK file executes an embedded PowerShell loader script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script creates a copy of the ZIP file and its contents in the victim\u0026rsquo;s \u0026ldquo;ProgramData\u0026rdquo; folder.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script bypasses AMSI by setting the \u003ccode\u003eamsiInitFailed\u003c/code\u003e field to \u003ccode\u003etrue\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script extracts the PowMix botnet payload from the ZIP archive using a hardcoded delimiter (\u0026ldquo;zAswKoK\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eThe extracted payload is a secondary PowerShell script that is reconstructed by replacing placeholders.\u003c/li\u003e\n\u003cli\u003eThe secondary PowerShell script is executed in memory using \u003ccode\u003eInvoke-Expression\u003c/code\u003e (IEX), establishing communication with the C2 server on Heroku.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign targets Czech organizations across various levels, with a focus on HR, legal, and recruitment sectors. If successful, the attacker gains control over the infected machine, potentially enabling data theft, espionage, or further malicious activities. The final payload and ultimate intent of the attackers remain unknown, but the botnet could be used for various purposes, including distributed denial-of-service (DDoS) attacks or as a foothold for lateral movement within the victim\u0026rsquo;s network.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for PowerShell executing from unusual locations like the \u003ccode\u003eProgramData\u003c/code\u003e folder to detect initial execution (see Sigma rule: \u0026ldquo;Detect PowerShell Executing from ProgramData\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect AMSI Bypass via Reflection\u0026rdquo; to identify attempts to disable the Antimalware Scan Interface.\u003c/li\u003e\n\u003cli\u003eMonitor network connections for traffic to \u003ccode\u003e*.herokuapp.com\u003c/code\u003e initiated by unusual processes, which may indicate C2 communication (see IOCs and Sigma rule: \u0026ldquo;Detect Heroku C2 Communication\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInspect PowerShell command lines for the presence of the \u003ccode\u003eInvoke-Expression\u003c/code\u003e command, which is used to execute the payload in memory (see Sigma rule: \u0026ldquo;Detect PowerShell IEX with Suspicious Parameters\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T10:00:33Z","date_published":"2026-04-16T10:00:33Z","id":"/briefs/2026-04-powmix/","summary":"The PowMix botnet campaign targets Czech organizations, particularly HR, legal, and recruitment agencies, using compliance-themed lures delivered via phishing emails, with the attack employing a Windows shortcut file that executes a PowerShell loader to bypass AMSI and deploy the botnet payload in memory.","title":"PowMix Botnet Targeting Czech Workforce","url":"https://feed.craftedsignal.io/briefs/2026-04-powmix/"}],"language":"en","title":"CraftedSignal Threat Feed — Powmix","version":"https://jsonfeed.org/version/1.1"}