PowMix Botnet Targets Czech Organizations with Malicious LNK Files

Severity: High (Score: 72.5)

Sources: Blog.Talosintelligence, Scworld, Socprime

Summary

The PowMix botnet has been identified as targeting Czech organizations since at least December 2025. Attackers use malicious LNK files to initiate a PowerShell loader that extracts a ZIP archive, bypasses AMSI protections, and executes the PowMix payload directly in memory. The campaign employs tactics similar to the earlier ZipLine campaign, including ZIP-based payload concealment and the use of herokuapp.com for command-and-control infrastructure. The malware maintains persistence through a scheduled task with a randomized name and utilizes a global mutex for execution control. Cisco Talos has documented the botnet's capabilities, including remote command execution and self-removal features. Organizations are advised to implement strict controls on LNK file execution and monitor for suspicious PowerShell activity. Detection measures have been enhanced with new signatures for ClamAV and Snort. The full scope of impact remains unclear as the final payload has not been observed. Key Points: • PowMix botnet targets Czech organizations using malicious LNK files. • The attack method includes a PowerShell loader that bypasses AMSI protections. • Organizations should enforce strict controls on LNK file execution and monitor PowerShell activity.

Key Entities

• Botnet (attack_type)
• Malware (attack_type)
• Phishing (attack_type)
• PowMix Campaign (campaign)
• ZipLine Campaign (campaign)
• Zipline (malware)
• MixShell (malware)
• PowMix (malware)
• RondoDox (malware)
• XMRig (malware)
• Czech Republic (country)
• T1053.005 - Scheduled Task (mitre_attack)
• T1053 - Scheduled Task/Job (mitre_attack)
• T1059.001 - PowerShell (mitre_attack)
• T1071.001 - Web Protocols (mitre_attack)
• T1071 - Application Layer Protocol (mitre_attack)
• Heroku (platform)
• Windows (platform)
• PowerShell (tool)