TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Cisco Talos Intelligence

PowMix botnet targets Czech workforce

Chetan Raghuprasad · 2026-04-16 · Read original ↗

ATT&CK techniques detected

23 predictions
T1059.001PowerShell
99%
“parses the malicious zip file to locate a specific marker that is hardcoded, such as zaswkok. this marker is treated as a delimiter, enabling the extraction of a hidden, encoded command that is embedded within the zip file data blob. throughout this process, the script performs a…”
T1053.005Scheduled Task
99%
“names the scheduled task by concatenating the bot id and configuration file hash, resulting in names that appear as random hexadecimal strings ( such as " 289c2e236761 ” ). the task configuration specifies a daily trigger set to execute at 11 : 00 a. m., and the execution action …”
T1059.001PowerShell
98%
“payload concealment, windows - scheduled task persistence, crc32 - based bot id generation, and the abuse of “ herokuapp. com ” for command - and - control ( c2 ) infrastructure. although there are overlaps in the tactics, the attacker ’ s final payload was unobserved, and the in…”
T1059.001PowerShell
92%
“names the scheduled task by concatenating the bot id and configuration file hash, resulting in names that appear as random hexadecimal strings ( such as " 289c2e236761 ” ). the task configuration specifies a daily trigger set to execute at 11 : 00 a. m., and the execution action …”
T1053.005Scheduled Task
91%
“the programdata folder, before immediately attempting to conceal its presence. it invokes a function that utilizes the win32showwindowasync function of “ user32. dll ” to hide the current powershell console window. then it decrypts the c2 domain and a configuration file using a c…”
T1204.002Malicious File
91%
“legitimate edeka brand and authentic regulatory frameworks such as the czech data protection act, the attacker deploys decoy documents with compliance - themed lures, potentially aimed at compromising victims from human resources ( hr ), legal, and recruitment agencies. in the lu…”
T1053.005Scheduled Task
87%
“payload concealment, windows - scheduled task persistence, crc32 - based bot id generation, and the abuse of “ herokuapp. com ” for command - and - control ( c2 ) infrastructure. although there are overlaps in the tactics, the attacker ’ s final payload was unobserved, and the in…”
T1055.001Dynamic-link Library Injection
84%
“defining several obfuscated variables, including file name of the malicious zip file that was likely received via a phishing email. then, the script dynamically constructs paths to the folders such as “ programdata ” and the user ’ s “ downloads ” folder to locate this zip file. …”
T1053.005Scheduled Task
74%
“the botnet and arbitrary code execution, allowing the attacker to remotely control the victim machine. the remote management commands that the botnet receives from the c2 are identified by a leading hash symbol ( # ). we found that the powmix botnet facilitates the commands descr…”
T1071.001Web Protocols
73%
“every url is unique. the attacker mimics the rest api calls urls by embedding these data directly into the url path, instead of using a url query string or a post request for communicating with the c2 server. powmix establishes a chrome user - agent and configures the accept - la…”
T1059.001PowerShell
70%
“legitimate edeka brand and authentic regulatory frameworks such as the czech data protection act, the attacker deploys decoy documents with compliance - themed lures, potentially aimed at compromising victims from human resources ( hr ), legal, and recruitment agencies. in the lu…”
T1053Scheduled Task/Job
64%
“names the scheduled task by concatenating the bot id and configuration file hash, resulting in names that appear as random hexadecimal strings ( such as " 289c2e236761 ” ). the task configuration specifies a daily trigger set to execute at 11 : 00 a. m., and the execution action …”
T1059.001PowerShell
61%
“the programdata folder, before immediately attempting to conceal its presence. it invokes a function that utilizes the win32showwindowasync function of “ user32. dll ” to hide the current powershell console window. then it decrypts the c2 domain and a configuration file using a c…”
T1001.003Protocol or Service Impersonation
57%
“every url is unique. the attacker mimics the rest api calls urls by embedding these data directly into the url path, instead of using a url query string or a post request for communicating with the c2 server. powmix establishes a chrome user - agent and configures the accept - la…”
T1071.001Web Protocols
52%
“##ted new c2 domain over hardcoded defaults, providing a robust mechanism for evading domain blacklisting. - for non # - prefixed responses from the c2, the command processing routine of powmix transitions into an arbitrary execution mode. it bypasses static detection of the invo…”
T1204.002Malicious File
47%
“payload concealment, windows - scheduled task persistence, crc32 - based bot id generation, and the abuse of “ herokuapp. com ” for command - and - control ( c2 ) infrastructure. although there are overlaps in the tactics, the attacker ’ s final payload was unobserved, and the in…”
T1053.005Scheduled Task
47%
“legitimate edeka brand and authentic regulatory frameworks such as the czech data protection act, the attacker deploys decoy documents with compliance - themed lures, potentially aimed at compromising victims from human resources ( hr ), legal, and recruitment agencies. in the lu…”
T1071.001Web Protocols
42%
“from running at the same time. it creates a mutex with the name “ global \ [ botid ] ”. the “ global ” prefix makes the mutex visible across all user sessions, stopping separate instances from running in different user sessions. powmix avoids persistent connections to the c2 serv…”
T1588.001Malware
41%
“powmix botnet targets czech workforce - cisco talos discovered an ongoing malicious campaign, operating since at least december 2025, affecting a broader workforce in the czech republic with a previously undocumented botnet we call “ powmix. ” - powmix employs randomized command …”
T1566.001Spearphishing Attachment
40%
“powmix botnet targets czech workforce - cisco talos discovered an ongoing malicious campaign, operating since at least december 2025, affecting a broader workforce in the czech republic with a previously undocumented botnet we call “ powmix. ” - powmix employs randomized command …”
T1546.013PowerShell Profile
40%
“payload concealment, windows - scheduled task persistence, crc32 - based bot id generation, and the abuse of “ herokuapp. com ” for command - and - control ( c2 ) infrastructure. although there are overlaps in the tactics, the attacker ’ s final payload was unobserved, and the in…”
T1059.001PowerShell
34%
“the botnet and arbitrary code execution, allowing the attacker to remotely control the victim machine. the remote management commands that the botnet receives from the c2 are identified by a leading hash symbol ( # ). we found that the powmix botnet facilitates the commands descr…”
T1546.013PowerShell Profile
33%
“parses the malicious zip file to locate a specific marker that is hardcoded, such as zaswkok. this marker is treated as a delimiter, enabling the extraction of a hidden, encoded command that is embedded within the zip file data blob. throughout this process, the script performs a…”

Summary

Cisco Talos discovered an ongoing malicious campaign, operating since at least December 2025, affecting a broader workforce in the Czech Republic with a previously undocumented botnet we call “PowMix.”