What's Happening?
Cisco Talos has identified a botnet known as PowMix, which has been active since December 2025, targeting organizations in the Czech Republic. The infection process begins with malicious LNK files that activate a PowerShell loader, unpacking a ZIP archive
and bypassing AMSI protections to launch the PowMix payload directly in memory. The malware maintains persistence through a scheduled task with a randomized hexadecimal name and uses a global mutex for execution control. PowMix communicates with its command-and-control infrastructure via randomized REST-like paths hosted on abused herokuapp.com domains, supporting remote command execution, configuration changes, and self-removal.
Why It's Important?
The PowMix botnet represents a significant threat to cybersecurity, particularly for organizations in the Czech Republic. Its ability to bypass AMSI protections and maintain persistence through scheduled tasks poses challenges for detection and mitigation. The use of herokuapp.com domains for command-and-control communication highlights the need for organizations to scrutinize outbound traffic and enhance security measures. The botnet's capabilities for remote command execution and configuration changes could lead to data breaches and operational disruptions, emphasizing the importance of robust cybersecurity protocols.
What's Next?
Organizations are advised to implement strict controls on the execution of LNK files and monitor PowerShell activity that creates scheduled tasks or global mutexes. Strengthening AMSI protections and enforcing code-signing requirements can help mitigate the threat. Security teams should also block or closely inspect traffic to suspicious herokuapp.com domains and update endpoint detections to identify specific PowerShell commands used by the PowMix loader. Continuous monitoring and adaptation of security measures will be crucial in countering the evolving tactics of the PowMix botnet.
