powmix-czech-workforce-2026-04-16
PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce
Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.
likely
IIM v1.1
unknown
needs review
Infrastructure map
Role-based chain map
entryredirectorstagingpayloadc2
Chain storyline
ordered IIM positions1
entry
file
malicious ZIP archive with compliance-themed lure
IIM-T024
2
staging
file
Windows shortcut file inside ZIP
3
staging
file
embedded PowerShell loader script
4
staging
file
hidden encoded PowMix payload blob inside ZIP
5
payload
file
PowMix PowerShell botnet payload
6
c2
domain
herokuapp.com based C2 endpoint
IIM-T002
7
c2
url
REST-like C2 URL path containing Bot ID, configuration hash, encrypted heartbeat, timestamp and random suffix
8
c2
domain
operator-supplied replacement C2 domain from #HOST command
IIM-T011
Relations
directed infrastructure edgese1dropse2
confirmed
e2executee3
confirmed
e3referencese4
confirmed
e3executee5
confirmed
e5connecte6
confirmed
e5communicates-withe7
confirmed
e6referencese8
likely
e5connecte8
tentative
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e1 |
file | malicious ZIP archive with compliance-themed lure |
Talos reports the attack begins when the victim runs a Windows shortcut contained within a malicious ZIP file. |
e2 |
file | Windows shortcut file inside ZIP |
Talos describes an LNK-triggered PowerShell loader. |
e3 |
file | embedded PowerShell loader script |
Talos reports that the shortcut triggers an embedded PowerShell loader script. |
e4 |
file | hidden encoded PowMix payload blob inside ZIP |
Talos reports that the loader parses the ZIP for a hardcoded marker such as zAswKoK and extracts a hidden encoded command from the ZIP data blob. |
e5 |
file | PowMix PowerShell botnet payload |
Talos identifies the secondary payload PowerShell script as PowMix, a previously unreported botnet. |
e6 |
domain | herokuapp.com based C2 endpoint |
Talos reports abuse of herokuapp.com for C2 operations and tactical overlap with ZipLine. |
e7 |
url | REST-like C2 URL path containing Bot ID, configuration hash, encrypted heartbeat, timestamp and random suffix |
Talos reports that PowMix embeds encrypted heartbeat data and unique victim identifiers into C2 URL paths mimicking legitimate REST API URLs. |
e8 |
domain | operator-supplied replacement C2 domain from #HOST command |
Talos reports that PowMix can remotely update the C2 URL in its configuration file using the #HOST command. |
ATT&CK annotations
optional complementary mappingT1566.001Spearphishing Attachment
Talos states the malicious ZIP was potentially delivered through phishing email.
T1204.002User Execution: Malicious File
The chain begins when the victim runs the Windows shortcut file.
T1059.001PowerShell
The loader and PowMix payload are PowerShell-based.
T1027Obfuscated Files or Information
Hidden encoded command inside ZIP blob and XOR-obfuscated configuration.
T1562.001Impair Defenses: Disable or Modify Tools
Talos describes AMSI bypass logic.
T1053.005Scheduled Task/Job: Scheduled Task
Talos describes scheduled task persistence.
T1105Ingress Tool Transfer
C2 can return payloads/commands for execution.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "powmix-czech-workforce-2026-04-16",
"title": "PowMix ZIP/LNK PowerShell botnet chain targeting Czech workforce",
"description": "Cisco Talos observed a campaign targeting Czech organizations and workforce-related victims. The chain uses a malicious ZIP, LNK-triggered PowerShell loader, an embedded PowMix payload hidden in the ZIP data blob, and C2 communication via Heroku-hosted infrastructure using REST-like URL paths.",
"actor_id": "unknown",
"observed_at": "2025-12-01T00:00:00Z",
"confidence": "likely",
"x_references": [
{
"title": "PowMix botnet targets Czech workforce",
"publisher": "Cisco Talos",
"published": "2026-04-16",
"url": "https://blog.talosintelligence.com/powmix-botnet-targets-czech-workforce/"
},
{
"title": "PowMix botnet targets Czech workforce IOCs",
"publisher": "Cisco Talos GitHub IOCs",
"published": "2026-04-16",
"url": "https://github.com/Cisco-Talos/IOCs/blob/main/2026/04/powmix-botnet-targets-czech-workforce.txt"
}
],
"entities": [
{
"id": "e1",
"type": "file",
"value": "malicious ZIP archive with compliance-themed lure",
"evidence": [
"Talos reports the attack begins when the victim runs a Windows shortcut contained within a malicious ZIP file."
]
},
{
"id": "e2",
"type": "file",
"value": "Windows shortcut file inside ZIP",
"evidence": [
"Talos describes an LNK-triggered PowerShell loader."
]
},
{
"id": "e3",
"type": "file",
"value": "embedded PowerShell loader script",
"evidence": [
"Talos reports that the shortcut triggers an embedded PowerShell loader script."
]
},
{
"id": "e4",
"type": "file",
"value": "hidden encoded PowMix payload blob inside ZIP",
"evidence": [
"Talos reports that the loader parses the ZIP for a hardcoded marker such as zAswKoK and extracts a hidden encoded command from the ZIP data blob."
]
},
{
"id": "e5",
"type": "file",
"value": "PowMix PowerShell botnet payload",
"evidence": [
"Talos identifies the secondary payload PowerShell script as PowMix, a previously unreported botnet."
]
},
{
"id": "e6",
"type": "domain",
"value": "herokuapp.com based C2 endpoint",
"evidence": [
"Talos reports abuse of herokuapp.com for C2 operations and tactical overlap with ZipLine."
]
},
{
"id": "e7",
"type": "url",
"value": "REST-like C2 URL path containing Bot ID, configuration hash, encrypted heartbeat, timestamp and random suffix",
"evidence": [
"Talos reports that PowMix embeds encrypted heartbeat data and unique victim identifiers into C2 URL paths mimicking legitimate REST API URLs."
]
},
{
"id": "e8",
"type": "domain",
"value": "operator-supplied replacement C2 domain from #HOST command",
"evidence": [
"Talos reports that PowMix can remotely update the C2 URL in its configuration file using the #HOST command."
]
}
],
"chain": [
{
"entity_id": "e1",
"role": "entry",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e2",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "LNK is execution behavior / file type context, not an IIM technique by itself."
},
{
"entity_id": "e3",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "PowerShell loader execution and AMSI bypass are ATT&CK, not IIM."
},
{
"entity_id": "e4",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Hidden encoded payload inside ZIP blob is a composition behavior, but current IIM v1.0 only has Archive Container and Nested Container. This is not exactly Nested Container because the payload is embedded in the ZIP data blob rather than another archive layer."
},
{
"entity_id": "e5",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e6",
"role": "c2",
"techniques": [
"IIM-T002"
],
"role_confidence": "confirmed",
"technique_confidence": "likely",
"review_notes": "Heroku is modeled as Cloud Hosting. If the catalog later distinguishes PaaS app hosting from generic cloud IaaS, this can be refined."
},
{
"entity_id": "e7",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "REST-like URL path encoding is infrastructure-relevant C2 communication shape, but no current IIM v1.0 technique maps cleanly. Kept as C2 entity plus candidate technique."
},
{
"entity_id": "e8",
"role": "c2",
"techniques": [
"IIM-T011"
],
"role_confidence": "likely",
"technique_confidence": "tentative",
"needs_review": true,
"review_notes": "The #HOST command supports C2 migration. It resembles Domain Rotation, but the public report describes remote C2 replacement rather than an observed rotating domain pool. Technique confidence is therefore tentative."
}
],
"relations": [
{
"from": "e1",
"to": "e2",
"type": "drops",
"sequence_order": 1,
"confidence": "confirmed"
},
{
"from": "e2",
"to": "e3",
"type": "execute",
"sequence_order": 2,
"confidence": "confirmed"
},
{
"from": "e3",
"to": "e4",
"type": "references",
"sequence_order": 3,
"confidence": "confirmed"
},
{
"from": "e3",
"to": "e5",
"type": "execute",
"sequence_order": 4,
"confidence": "confirmed"
},
{
"from": "e5",
"to": "e6",
"type": "connect",
"sequence_order": 5,
"confidence": "confirmed"
},
{
"from": "e5",
"to": "e7",
"type": "communicates-with",
"sequence_order": 6,
"confidence": "confirmed"
},
{
"from": "e6",
"to": "e8",
"type": "references",
"sequence_order": 7,
"confidence": "likely"
},
{
"from": "e5",
"to": "e8",
"type": "connect",
"sequence_order": 8,
"confidence": "tentative"
}
],
"attack_annotations": [
{
"technique_id": "T1566.001",
"name": "Spearphishing Attachment",
"tactic": "Initial Access",
"comment": "Talos states the malicious ZIP was potentially delivered through phishing email."
},
{
"technique_id": "T1204.002",
"name": "User Execution: Malicious File",
"tactic": "Execution",
"comment": "The chain begins when the victim runs the Windows shortcut file."
},
{
"technique_id": "T1059.001",
"name": "PowerShell",
"tactic": "Execution",
"comment": "The loader and PowMix payload are PowerShell-based."
},
{
"technique_id": "T1027",
"name": "Obfuscated Files or Information",
"tactic": "Defense Evasion",
"comment": "Hidden encoded command inside ZIP blob and XOR-obfuscated configuration."
},
{
"technique_id": "T1562.001",
"name": "Impair Defenses: Disable or Modify Tools",
"tactic": "Defense Evasion",
"comment": "Talos describes AMSI bypass logic."
},
{
"technique_id": "T1053.005",
"name": "Scheduled Task/Job: Scheduled Task",
"tactic": "Persistence",
"comment": "Talos describes scheduled task persistence."
},
{
"technique_id": "T1105",
"name": "Ingress Tool Transfer",
"tactic": "Command and Control",
"comment": "C2 can return payloads/commands for execution."
}
],
"x_candidate_iim_techniques": [
{
"name": "C2 Path-Encoded Telemetry",
"category": "routing",
"reason": "PowMix embeds bot identity, config hash, encrypted heartbeat, timestamp and random suffix into REST-like URL paths. This is observable C2 infrastructure shape."
},
{
"name": "Remote C2 Re-Seeding",
"category": "resolution",
"reason": "The #HOST command lets the operator push a replacement C2 URL that the bot prioritizes on later initialization. This is stronger than simple domain rotation and probably deserves its own IIM technique."
},
{
"name": "Payload Blob Embedded in Container Data",
"category": "composition",
"reason": "The payload is not simply a normal archived child file; it is extracted from a ZIP data blob via a marker. Current IIM-T024 covers archive delivery, but not this exact composition trick."
}
]
}