Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic
Botnet جديد سميتو PowMix كيستهدف الخدامة في التشيك بتقنيات متطورة باش يهرب من الـ Detection
New PowMix Botnet Targets Czech Workforce with Randomized C2 Evasion Techniques
TL;DR
A newly discovered botnet named PowMix has been targeting workers in the Czech Republic since December 2025. Discovered by Cisco Talos, the malware uses randomized "jitter" in its communication and mimics legitimate REST API traffic to evade network security detections.
Cybersecurity researchers have identified a sophisticated new threat actor targeting the Czech Republic's workforce. The undocumented botnet, dubbed PowMix, stands out for its advanced evasion techniques and its ability to blend into legitimate network traffic using randomized beaconing intervals.
According to a report released by Cisco Talos, the campaign has been active since at least December 2025, primarily focusing on local employees through carefully crafted social engineering.
The Infection Chain: From Phishing to Memory
The attack typically begins with a malicious ZIP file, which researchers believe is distributed via phishing emails. Once a user opens the archive, a multi-stage infection process is triggered:
- The LNK Trigger: The user interacts with a Windows Shortcut (LNK) file contained within the ZIP.
- PowerShell Loader: The LNK file launches a PowerShell loader.
- In-Memory Execution: The loader extracts the primary malware payload from the archive, decrypts it, and executes it directly in the system's memory to avoid leaving a footprint on the physical disk.
To maintain focus and avoid detection, the malware verifies the system’s process tree to ensure no other instances of PowMix are currently running. It also establishes persistence on the compromised host by creating a scheduled task.
Evasion Through "Jitter" and API Mimicry
The defining characteristic of PowMix is its stealthy communication method. Unlike traditional botnets that maintain a persistent connection to a Command-and-Control (C2) server, PowMix uses a "jitter" technique.
Using the Get-Random PowerShell command, the botnet varies its beaconing intervals—initially between 0 and 261 seconds, and later increasing to between 1,075 and 1,450 seconds. This randomization makes it significantly harder for network security tools to identify the traffic based on predictable signatures.
Furthermore, PowMix mimics legitimate REST API URLs. It embeds encrypted "heartbeat" data and unique machine identifiers directly into the C2 URL paths, making the malicious traffic look like standard application communication.
Capabilities and Commands
PowMix is designed for reconnaissance, remote access, and remote code execution (RCE). Its remote management logic recognizes specific commands from the C2 server:
- Arbitrary Execution: If the C2 response does not start with a "#" prefix, the botnet treats the response as a new payload to be decrypted and executed.
- #KILL: Triggers a self-deletion routine to wipe all traces of the malware from the host.
- #HOST: Allows the botnet to dynamically update its configuration with a new C2 domain, providing resilience against server takeovers.
While the malware is active, it displays a decoy document to the victim. These documents use compliance-themed lures, referencing legitimate brands like Edeka and containing valid legislative references to trick HR personnel or job seekers into believing the file is legitimate.
Tactical Overlaps and Unknown Motives
Cisco Talos noted that PowMix shares tactical similarities with a campaign known as ZipLine (observed in August 2025), which utilized a malware called MixShell to target manufacturing supply chains. Both campaigns used ZIP-based delivery, Heroku for C2 infrastructure, and scheduled tasks for persistence.
Despite the sophisticated nature of the botnet, researchers have not yet observed a "final" payload beyond the botnet itself. This leaves the ultimate motive—whether it be data exfiltration, ransomware deployment, or long-term espionage—currently unknown.
Broader Botnet Landscape: RondoDox
The discovery of PowMix coincides with new insights into RondoDox, another evolving botnet. According to Bitsight, RondoDox has expanded its capabilities to include cryptocurrency mining (using XMRig) alongside its existing DDoS functionality. RondoDox is notably aggressive, exploiting over 170 known vulnerabilities to gain access and actively removing "competing" malware from infected systems to monopolize resources.
The emergence of both PowMix and updated RondoDox variants underscores a trend of increasingly resilient and evasive malware targeting specific European demographics and global infrastructure.
Source
Title: Newly Discovered PowMix Botnet Hits Czech Workers Using Randomized C2 Traffic
URL: https://thehackernews.com/2026/04/newly-discovered-powmix-botnet-hits.html
