Cybersecurity researchers have warned that a previously undocumented botnet called PowMix has been active in a malicious campaign targeting workers in the Czech Republic since at least December 2025.
“PowMix employs randomized command and control (C2) beacon intervals rather than persistent connections to C2 servers to evade detection of network signatures,” Cisco Talos researcher Chetan Raghuprasad said in a report published today.
“PowMix embeds encrypted heartbeat data and a unique identifier for the victim machine in the C2 URL path to mimic a legitimate REST API URL. PowMix has the ability to dynamically update new C2 domains to botnet configuration files remotely.”
The attack chain begins with a malicious ZIP file, likely delivered via a phishing email, which activates a multi-step infection chain that drops PowMix. Specifically, it involves a Windows shortcut (LNK) that is used to launch a PowerShell loader that extracts malware embedded within an archive, decrypts it, and executes it in memory.
The never-before-seen botnet is designed to facilitate remote access, reconnaissance, and remote code execution while establishing persistence through scheduled tasks. At the same time, verify the process tree to ensure that no other instances of the same malware are running on the compromised host.
PowMix’s remote management logic allows it to process two types of commands sent from the C2 server. # If a response is not prefixed, PowMix enters an arbitrary execution mode, decrypts and executes the retrieved payload.
#KILL, initiates a self-deletion routine and erases all traces of malicious artifacts. #HOST, enable C2 migration to new server URL.
At the same time, it also opens a compliance-themed decoy document as a distraction mechanism. The decoy document references legitimate brands such as Edeka and includes compensation data and references to valid laws, potentially intended to increase brand credibility and deceive recipients such as job applicants.
Talos said this campaign has some tactical overlap with a campaign called ZipLine that Check Point revealed in late August 2025 that targeted supply chain-critical manufacturing companies using in-memory malware called MixShell.
This includes using the same ZIP-based payload delivery, persisting scheduled tasks, and exploiting Heroku for C2. However, no final payload beyond the botnet malware itself has been observed, leaving questions about its exact motivations unanswered.
“PowMix avoids persistent connections to C2 servers,” says Talos. “Instead, we implement jitter via the Get-Random PowerShell command and change the beacon interval initially between 0 and 261 seconds and then between 1,075 and 1,450 seconds. This technique attempts to prevent detection of C2 traffic through predictable network signatures.”
This disclosure comes as Bitsight uncovers an infection chain associated with the RondoDox botnet, highlighting the malware’s evolving ability to illegally mine cryptocurrencies on infected systems using XMRig in addition to its existing distributed denial of service (DDoS) attack capabilities.
The findings reveal a complete picture of actively maintained malware that offers improved evasion, increased resiliency, proactive conflict elimination, and an expanded feature set.
RondoDox can exploit over 170 known vulnerabilities in various internet-facing applications to gain initial access, drop shell scripts that perform basic anti-analysis and remove competing malware, and then drop architecture-appropriate botnet binaries.
Bitsight Principal Researcher João Godinho said the malware “implements techniques to thwart analysis through multiple checks, including the use of nanomites, renaming and deleting files, killing processes, and aggressively checking running debuggers.”
“Bots can perform DoS attacks at the internet, transport, and application layers depending on commands and arguments issued by the C2.”
Source link
