SOC Prime Bias: Medium

17 Apr 2026 17:34
newspaper icon Cisco Talos Blog

PowMix Botnet Targets Czech Workforce via Media Company Lure

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
PowMix Botnet Targets Czech Workforce via Media Company Lure
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Cisco Talos uncovered a botnet tracked as PowMix that has been active since at least December 2025 and is aimed at organizations in the Czech Republic. The infection chain begins with malicious LNK files that trigger a PowerShell loader, which unpacks a ZIP archive, bypasses AMSI protections, and launches the PowMix payload directly in memory. Once established, the malware maintains persistence through a scheduled task with a randomized hexadecimal name and uses a global mutex to control execution. PowMix communicates with its command-and-control infrastructure through randomized REST-like paths hosted on abused herokuapp.com domains and supports remote command execution, configuration changes, and self-removal.

Investigation

Talos examined the full LNK-based delivery chain, the PowerShell loader, and the PowMix bot itself, identifying notable similarities to the earlier ZipLine campaign, including ZIP-based payload concealment and the use of Heroku-hosted infrastructure for C2. Researchers documented the malware’s AMSI bypass method, its CRC32-style bot ID generation logic, and beaconing intervals designed with jitter to reduce detection. The team also extracted key indicators, including the scheduled task naming pattern, mutex conventions, and hard-coded XOR key strings embedded in the malware. Detection coverage was further expanded through the creation of ClamAV and Snort signatures.

Mitigation

Organizations should apply strict controls to the execution of LNK files and monitor for PowerShell activity that creates scheduled tasks or global mutexes. AMSI protections should be hardened wherever possible, and script execution should be governed by code-signing requirements and restrictive policies. Security teams should also block or closely inspect outbound traffic to suspicious herokuapp.com domains and review proxy authentication logs for unusual browser-like requests that may indicate PowMix activity. Endpoint detections should be updated to identify the specific PowerShell commands and behaviors used by the loader.

Response

If PowMix-related activity is detected, defenders should isolate the affected host, terminate the malicious PowerShell process, and remove the scheduled task along with any associated files stored under ProgramData. Forensic collection should capture the full execution chain, including command-line artifacts, mutex values, and any downloaded configuration data. Potentially exposed credentials should be reset, and proxy and firewall controls should be updated to block the identified command-and-control domains. Security teams should also monitor network traffic for commands such as #HOST and #KILL, notify relevant stakeholders, and update detection content to reflect the latest indicators.

"graph TB %% Class definitions classDef action fill:#99ccff classDef technique fill:#ffff99 classDef process fill:#ffcc99 classDef malware fill:#ff9999 classDef artifact fill:#e0e0e0 classDef persistence fill:#b3ffb3 classDef c2 fill:#d9b3ff classDef command fill:#ffd9b3 %% Nodes attack_phishing["<b>Action</b> – T1566.001 Phishing: Spearphishing Attachment<br/>Victim receives email with malicious ZIP"] class attack_phishing action file_zip["<b>Artifact</b> – Malicious ZIP archive<br/>Contains LNK shortcut"] class file_zip artifact file_lnk["<b>Artifact</b> – Malicious shortcut (.lnk)<br/>T1027.012 LNK Icon Smuggling"] class file_lnk artifact process_powershell["<b>Process</b> – PowerShell loader<br/>T1059.001 PowerShell execution"] class process_powershell process tech_amsi_bypass["<b>Technique</b> – AMSI bypass<br/>Disables or evades Antimalware Scan Interface"] class tech_amsi_bypass technique tech_compression["<b>Technique</b> – T1027.015 Compression<br/>Payload compressed to hide content"] class tech_compression technique tech_xor["<b>Technique</b> – T1001 Data Obfuscation (XOR)<br/>Custom XOR encryption of payload"] class tech_xor technique malware_powmix["<b>Malware</b> – PowMix<br/>Inu2011memory loader, generates Bot ID, communicates with C2"] class malware_powmix malware tech_botid["<b>Technique</b> – Generate Bot ID<br/>CRC32u2011style checksum for unique identifier"] class tech_botid technique persistence_task["<b>Persistence</b> – Scheduled Task<br/>T1543.001 Launch Agent, random hex name, runs Explorer with shortcut"] class persistence_task persistence tech_shortcut_mod["<b>Technique</b> – T1547.009 Shortcut Modification<br/>Uses shortcut to launch payload"] class tech_shortcut_mod technique tech_screensaver["<b>Technique</b> – T1546.002 Screensaver<br/>Eventu2011triggered execution at 11:00 daily"] class tech_screensaver technique c2_communication["<b>C2 Communication</b> – HTTPS GET requests<br/>T1102 Web Service, encrypted data in URL, mimics Chrome"] class c2_communication c2 command_host["<b>Command</b> – #HOST<br/>Instructs bot to update C2 domain"] class command_host command command_kill["<b>Command</b> – #KILL<br/>Deletes scheduled task, removes files"] class command_kill command tech_indicator_removal["<b>Technique</b> – T1027.005 Indicator Removal from Tools"] class tech_indicator_removal technique tech_hide_artifacts["<b>Technique</b> – T1564.011 Hide Artifacts: Ignore Process Interrupts"] class tech_hide_artifacts technique %% Connections attack_phishing –>|delivers| file_zip file_zip –>|contains| file_lnk file_lnk –>|triggers| process_powershell process_powershell –>|applies| tech_amsi_bypass process_powershell –>|uses| tech_compression process_powershell –>|uses| tech_xor process_powershell –>|loads| malware_powmix malware_powmix –>|executes| tech_botid malware_powmix –>|creates| persistence_task persistence_task –>|uses| tech_shortcut_mod persistence_task –>|scheduled at| tech_screensaver malware_powmix –>|communicates with| c2_communication c2_communication –>|issues| command_host c2_communication –>|issues| command_kill command_kill –>|applies| tech_indicator_removal command_kill –>|applies| tech_hide_artifacts "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An operator of the PowMix botnet first disables AMSI by invoking a PowerShell one‑liner that sets the internal amsiInitFailed flag to $true. Immediately after, the same PowerShell process creates a named mutex in the global namespace (GlobalBOT12345) to guarantee a single running instance. Both actions are performed from a single command line so that Sysmon logs capture the exact strings the rule looks for.

  • Regression Test Script:

    # PowMix‑like AMSI bypass + global mutex creation (triggers the detection rule)

$botId = "BOT12345"

# 1. Set the AMSI bypass flag (the literal string appears in the command line)
# 2. Create a global mutex named "Global<BotID>"
powershell.exe -NoProfile -Command `
    "$amsiInitFailed = $true; `
     $null = [System.Threading.Mutex]::new($true, 'Global$botId')"

  • Cleanup Commands:

    # No persistent artifacts are written to disk; only an in‑memory mutex exists.
# To ensure the mutex is released, terminate any lingering PowerShell processes
# launched by the test and optionally run a short script to open and close it.

Get-Process -Name powershell | Where-Object { $_.StartInfo.Arguments -match 'Global\BOT12345' } | Stop-Process -Force

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free