PowMix phishing campaign targeting Czech workforce
Campaign
Summary
Hide ▲
Show ▼
The PowMix campaign is actively targeting the Czech Republic’s workforce, raising the risk of remote access and remote code execution on compromised systems. The intrusion chain begins with a malicious ZIP file likely delivered by phishing email. A Windows Shortcut (LNK) then launches a PowerShell loader that drops the botnet payload. The operation has been active since at least December 2025.
Related Happenings
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen ransomware gang** is using a **legitimate vulnerable driver** to defeat enterprise defenses, weaponizing **ThrottleStop.sys** as **ThrottleBlood.sys** to kill **AV...
RondoDox botnet expands mining and DDoS capabilities
Malware Activity
First: 16.04.2026 20:52
Last: 16.04.2026 20:52
Sources 1
How related:
The disclosure comes as Bitsight sheds light on the infection chain associated with the RondoDox botnet, highlighting the malware's evolving capabilities to illicitly mine cryptocurrency on infected systems using XMRig on top of the existing distributed denial-of-service (DDoS) attack functionality.
About this happening:
**RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
RondoDox botnet expands mining and DDoS capabilities
Malware ActivityHow related: The disclosure comes as Bitsight sheds light on the infection chain associated with the RondoDox botnet, highlighting the malware's evolving capabilities to illicitly mine cryptocurrency on infected systems using XMRig on top of the existing distributed denial-of-service (DDoS) attack functionality.
About this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
LucidRook spear-phishing malware activity targeting Taiwan NGOs and universities
Malware Activity
First: 10.04.2026 01:04
Last: 10.04.2026 01:04
Sources 1
About this happening:
**LucidRook** is being used in **spear-phishing campaigns** against **NGOs and universities in Taiwan**, creating a direct path for reconnaissance and data theft. The activity was...
LucidRook spear-phishing malware activity targeting Taiwan NGOs and universities
Malware ActivityAbout this happening: **LucidRook** is being used in **spear-phishing campaigns** against **NGOs and universities in Taiwan**, creating a direct path for reconnaissance and data theft. The activity was...
UAT-10027 U.S. education and healthcare targeting campaign
Campaign
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
**UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...
UAT-10027 U.S. education and healthcare targeting campaign
CampaignAbout this happening: **UAT-10027** is running an active **campaign** against **U.S. education and healthcare organizations**, and the activity matters because it delivers a new backdoor and supporting...
Timeline
-
16.04.2026 20:52 2 articles · 1mo ago
PowMix campaign targets Czech workforce
Initial DisclosurePowMix targets the workforce in the Czech Republic with a malicious ZIP file likely delivered by phishing email that launches a Windows Shortcut (LNK) and PowerShell loader, extracts and decrypts the embedded payload, and runs it in memory. The botnet is built for remote access, reconnaissance, remote code execution, scheduled task persistence, C2 migration, and self-deletion, while using randomized C2 beaconing intervals, encrypted heartbeat data with victim identifiers in C2 URL paths, and dynamic C2 domain updates to reduce detection.
Show sources
- Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic — thehackernews.com — 16.04.2026 20:52
- Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic — thehackernews.com — 16.04.2026 20:52