PowMix Botnet Targets Czech Workforce with Advanced Evasion Techniques
Cybersecurity experts have identified a new botnet, named PowMix, actively targeting employees in the Czech Republic since at least December 2025. This sophisticated malware employs advanced evasion strategies to avoid detection and maintain control over compromised systems.
Infection Mechanism
The attack initiates with a malicious ZIP file, likely distributed through phishing emails. Within this archive is a Windows Shortcut (LNK) file that, when executed, triggers a PowerShell script. This script extracts, decrypts, and executes the PowMix malware directly in the system’s memory, minimizing traces on the disk and complicating detection efforts.
Command-and-Control (C2) Communication
PowMix distinguishes itself by using randomized intervals for its C2 communications, deviating from the constant connections typical of many botnets. This variability helps it evade network signature-based detections. The malware embeds encrypted heartbeat data and unique identifiers of the infected machine into C2 URL paths, mimicking legitimate REST API URLs to further blend into normal network traffic.
Capabilities and Persistence
Once established, PowMix provides attackers with remote access, reconnaissance capabilities, and the ability to execute arbitrary code on the infected host. It ensures persistence by creating scheduled tasks and checks for existing instances to prevent multiple infections on the same machine.
Command Processing
The botnet processes commands from its C2 server, including:
– #KILL: Initiates self-deletion and removes all malicious artifacts.
– #HOST: Updates the botnet’s configuration with a new C2 server URL.
Additionally, PowMix can execute arbitrary payloads received from the C2 server, enhancing its versatility.
Decoy Documents
To distract victims and lend credibility to the attack, PowMix opens decoy documents with compliance-related themes. These documents reference legitimate brands and include compensation data and legislative references, potentially targeting job seekers or employees handling sensitive information.
Connections to Previous Campaigns
Researchers note similarities between PowMix and a campaign known as ZipLine, which targeted manufacturing companies with in-memory malware called MixShell. Both campaigns utilize ZIP-based payload delivery, scheduled task persistence, and abuse cloud platforms like Heroku for C2 communications. However, the exact motives behind PowMix remain unclear, as no final payloads beyond the botnet itself have been observed.
Evasion Techniques
PowMix’s use of randomized beaconing intervals, implemented via the Get-Random PowerShell command, varies the communication intervals initially between 0 and 261 seconds, and later between 1,075 and 1,450 seconds. This approach aims to prevent detection through predictable network patterns.
Emerging Threats
The discovery of PowMix coincides with reports of the RondoDox botnet, which has evolved to include cryptocurrency mining capabilities using XMRig, in addition to its existing distributed denial-of-service (DDoS) functionalities. These developments highlight the continuous evolution of botnets, incorporating advanced evasion techniques and expanding their feature sets to maximize impact.
