Newly Discovered PowMix Botnet Hits Czech Operators Using Random C2 Traffic
Cybersecurity investigators have warned of an active malicious campaign targeting workers in the Czech Republic via a previously undocumented botnet. PowMix from at least December 2025.
“PowMix uses Command-and-control (C2) light intervals, instead of continuous connections to the C2 server, to avoid network signature detection,” Cisco Talos researcher Chetan Raghuprasad said in a report published today.
“PowMix embeds encrypted heartbeat data and unique victim machine identifiers in C2 URL paths, mimicking legitimate REST API URLs. PowMix has the ability to remotely update a new C2 domain in the botnet’s configuration file dynamically.”
The chain of attacks begins with a malicious ZIP file, possibly delivered via a phishing email, to activate a multi-stage infection chain that brings down PowMix. Specifically, it includes a Windows Shortcut (LNK) that is used to launch a PowerShell loader, which extracts the malware embedded within the archive, decompresses it, and executes it in memory.
An unprecedented botnet is designed to facilitate remote access, re-exploration, and remote code execution, while establishing persistence through organized activity. At the same time, it verifies the process tree to ensure that another instance of the same malware is not running on the vulnerable host.
PowMix’s remote management logic allows it to process two types of commands sent from the C2 server. Any non-prefix # response causes PowMix to switch to arbitrary mode, and decrypt and execute the received payload.
- #KILL, to initiate the practice of self-removal and erase the traces of all malicious artifacts
- #HOST, to enable C2 migration to the new URL server.
In parallel, it also opens a compliance-themed hole-in-the-wall deception document as a means of disruption. The persuasive texts refer to official brands such as Edeka and include compensation data and official legal references, possibly in an attempt to improve their credibility and strategic recipients, such as job seekers.
Talos said the campaign shares some degree of synergy with a campaign called ZipLine that was disclosed by Check Point in late August 2025 as targeting critical manufacturing companies with a memory-friendly malware called MixShell.
These include the use of ZIP-based parallel workloads, scheduled workflows, and Heroku’s C2 deployment. That said, no final uploads have been seen beyond the botnet malware itself, leaving questions about its exact motivations unanswered.
“PowMix avoids constant connections to the C2 server,” Talos said. “Instead, it uses jitter with the Get-Random PowerShell command to change the flashing intervals between 0 and 261 seconds, and later between 1,075 and 1,450 seconds. This process tries to prevent detection of C2 traffic by using unpredictable network signatures.”
The disclosure comes as Bitsight shines a light on the infection chain associated with the RondoDox botnet, highlighting the malware’s emerging ability to illegally mine cryptocurrencies from infected systems using XMRig on top of existing distributed denial-of-service (DDoS) attacks.
The findings paint a picture of a continuously maintained malware offering improved evasion, better resilience, removal of malicious competition, and an expanded feature set.
RondoDox is able to exploit more than 170 known vulnerabilities in various Internet-facing applications to gain initial access and discard a shell script that performs basic adversarial analysis and removes competing malware before discarding the correct botnet number of structures.
The malware “scans frequently and uses anti-analysis techniques, including the use of nanomites, renaming/extracting files, execution processes, and actively checking debuggers during execution,” said Bitsight Principal Research Scientist João Godinho.
“The bot is able to perform DoS attacks on the Internet, the transport layer and the application, depending on the command and arguments issued by C2.”
