PowMix botnet targets Czech workforce

Cisco Talos reports an ongoing malicious campaign targeting Czech organizations that uses a PowerShell LNK-based loader to deploy a previously unreported botnet named PowMix; the malware performs AMSI bypass, in-memory execution, creates scheduled-task persistence, generates unique Bot IDs, and uses randomized, REST-like C2 beaconing (abusing herokuapp.com) with encrypted heartbeats to evade detection. The report includes victimology, detailed technical analysis of the loader and PowMix payload, supported IOCs and signatures, and notes similarities to the earlier ZipLine campaign.