A newly uncovered cyber campaign is raising alarms across Europe, as the PowMix botnet targets workers in the Czech Republic using advanced evasion and command control techniques.
Security researchers from Cisco Talos report that the PowMix botnet has been active since at least December 2025, employing stealth mechanisms to avoid detection. Unlike traditional malware that maintains constant communication with command servers, PowMix uses randomized beaconing intervals, making its network activity harder to identify through standard signature based detection.
“PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections,” said Chetan Raghuprasad. He added, “PowMix embeds the encrypted heartbeat data along with unique identifiers of the victim machine into the C2 URL paths, mimicking legitimate REST API URLs. PowMix has the capability to remotely update the new C2 domain to the botnet configuration file dynamically.”
The infection chain begins with a malicious ZIP archive, most likely distributed through phishing emails. Once opened, the archive deploys a Windows shortcut file that triggers a PowerShell based loader. This loader extracts and decrypts the embedded malware, executing it directly in memory to minimize detection. The botnet establishes persistence through scheduled tasks and performs system checks to prevent multiple instances from running on the same device.
Once active, PowMix enables remote access, reconnaissance, and arbitrary code execution. It can process commands from its control servers, including instructions to delete itself or migrate to a new server. At the same time, it opens decoy documents designed to appear legitimate, often referencing well known brands like Edeka and including compliance themed content to mislead victims, particularly job seekers.
Researchers noted similarities between this campaign and the previously identified ZipLine operation, which was disclosed by Check Point Software Technologies in 2025. Both campaigns share tactics such as ZIP based delivery, in memory execution, and the use of cloud platforms like Heroku for command and control infrastructure. However, no secondary payloads have been observed in the PowMix campaign so far, leaving its ultimate objectives unclear.
“PowMix avoids persistent connections to the C2 server,” Talos said. “Instead, it implements a jitter via the Get-Random PowerShell command to vary the beaconing intervals initially between 0 and 261 seconds, and subsequently between 1,075 and 1,450 seconds. This technique attempts to prevent detection of C2 traffic through predictable network signatures.”
In parallel, researchers from Bitsight highlighted the evolution of another botnet, RondoDox, which combines distributed denial of service capabilities with cryptocurrency mining using XMRig. RondoDox can exploit more than 170 vulnerabilities to gain access and deploy malware, using advanced anti analysis techniques to evade detection and remove competing threats.
Together, these findings underscore a growing trend in cybercrime, where botnets are becoming more adaptive, stealthy, and multifunctional. The emergence of the PowMix botnet highlights how attackers are leveraging sophisticated techniques to bypass traditional defenses, reinforcing the need for advanced threat detection and proactive cybersecurity strategies.
Recommended Cyber Technology News:
- Fiverr Cloud Data Breach Leaks Sensitive User Data
- Kyndryl Launches Sovereignty Services to Strengthen Data Control
- DTCC Expands Cloud Strategy with AWS and Microsoft Partnerships
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
