PowMix phishing campaign targeting Czech workforce
Campaign
Summary
Hide ▲
Show ▼
The PowMix campaign is actively targeting the Czech Republic’s workforce, raising the risk of remote access and remote code execution on compromised systems. The intrusion chain begins with a malicious ZIP file likely delivered by phishing email. A Windows Shortcut (LNK) then launches a PowerShell loader that drops the botnet payload. The operation has been active since at least December 2025.
Related Happenings
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
Campaign
H score32
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
Windows cryptocurrency clipper campaign targeting users via USB LNK worms
CampaignAbout this happening: A **Windows cryptocurrency clipper campaign** is actively targeting users since **February 2026**, putting clipboard data, wallet addresses, and seed phrases at risk. The operatio...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
H score39
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor Meta
H score57
First: 21.04.2026 17:00
Last: 21.04.2026 17:00
Sources 1
About this happening:
**The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
The Gentlemen affiliate-driven RaaS expansion and enterprise scale-up
Threat Actor MetaAbout this happening: **The Gentlemen** ransomware-as-a-service operation is using an operator-maintained **EDR-killer** portfolio, led by **GentleKiller**, to disable security software before encrypti...
RondoDox botnet expands mining and DDoS capabilities
Malware Activity
H score31
First: 16.04.2026 20:52
Last: 16.04.2026 20:52
Sources 1
How related:
The disclosure comes as Bitsight sheds light on the infection chain associated with the RondoDox botnet, highlighting the malware's evolving capabilities to illicitly mine cryptocurrency on infected systems using XMRig on top of the existing distributed denial-of-service (DDoS) attack functionality.
About this happening:
**RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
RondoDox botnet expands mining and DDoS capabilities
Malware ActivityHow related: The disclosure comes as Bitsight sheds light on the infection chain associated with the RondoDox botnet, highlighting the malware's evolving capabilities to illicitly mine cryptocurrency on infected systems using XMRig on top of the existing distributed denial-of-service (DDoS) attack functionality.
About this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
LucidRook spear-phishing malware activity targeting Taiwan NGOs and universities
Malware Activity
H score21
First: 10.04.2026 01:04
Last: 10.04.2026 01:04
Sources 1
About this happening:
**LucidRook** is being used in **spear-phishing campaigns** against **NGOs and universities in Taiwan**, creating a direct path for reconnaissance and data theft. The activity was...
LucidRook spear-phishing malware activity targeting Taiwan NGOs and universities
Malware ActivityAbout this happening: **LucidRook** is being used in **spear-phishing campaigns** against **NGOs and universities in Taiwan**, creating a direct path for reconnaissance and data theft. The activity was...
Timeline
-
16.04.2026 20:52 2 articles · 2mo ago
PowMix campaign targets Czech workforce
Initial DisclosurePowMix targets the workforce in the Czech Republic with a malicious ZIP file likely delivered by phishing email that launches a Windows Shortcut (LNK) and PowerShell loader, extracts and decrypts the embedded payload, and runs it in memory. The botnet is built for remote access, reconnaissance, remote code execution, scheduled task persistence, C2 migration, and self-deletion, while using randomized C2 beaconing intervals, encrypted heartbeat data with victim identifiers in C2 URL paths, and dynamic C2 domain updates to reduce detection.
Show sources
- Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic — thehackernews.com — 16.04.2026 20:52
- Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic — thehackernews.com — 16.04.2026 20:52