PowMix Botnet Targets Czech Workforce

PowMix Botnet Targets Czech Workforce 🚨

Cisco Talos has uncovered a malicious campaign that has been ongoing since at least December 2025, impacting a wide range of workers in the Czech Republic through a previously undocumented botnet known as PowMix. This sophisticated botnet utilizes randomized command-and-control (C2) beaconing intervals to evade detection by network signatures. PowMix cleverly embeds encrypted heartbeat data and unique identifiers of the victim’s machine into the C2 URL paths, mimicking legitimate REST API URLs.

Attack Overview 🔍

Talos has observed that attackers are targeting various Czech organizations by impersonating the legitimate EDEKA brand and leveraging authentic regulatory frameworks like the Czech Data Protection Act. They deploy decoy documents with compliance-themed lures aimed at compromising victims from human resources (HR), legal, and recruitment sectors. These lure documents often include compensation data and legitimate legislative references to enhance their authenticity and attract job seekers across diverse fields such as IT, finance, and logistics.

Technical Details ⚙️

The PowMix botnet payload is delivered via a Windows shortcut file contained within a malicious ZIP file, typically sent through phishing emails. When a victim executes this shortcut, it triggers a PowerShell loader script that extracts the botnet payload directly into the victim’s memory, establishing communication with the botnet C2. To avoid detection, the script employs an AMSI bypass technique, deceiving the Windows security subsystem into disabling real-time scanning of subsequent commands.

Conclusion 🔒

The intent behind this campaign remains unclear, but the overlaps with previous campaigns, such as the ZipLine campaign, suggest a sophisticated level of planning and execution. Organizations in the Czech Republic should remain vigilant and enhance their security measures to protect against such threats.

For more details, Read full article