Ethical Hacking News
A newly discovered botnet, dubbed PowMix, has been targeting workers in the Czech Republic using randomized C2 traffic to evade detection. The malware employs a sophisticated attack chain that involves phishing emails, PowerShell loaders, and scheduled tasks to gain persistence on infected systems. Experts warn that the campaign shares similarities with another malicious campaign called ZipLine, which was disclosed by Check Point in late August 2025. As cybersecurity threats continue to evolve, it's essential for organizations to prioritize unified exposure management and deploy effective identity solutions for AI agents.
PowMix botnet targets workers in the Czech Republic with a sophisticated campaign using randomized command-and-control beaconing intervals to evade network signature detections. The malware embeds encrypted heartbeat data and unique identifiers of the victim machine into C2 URL paths, mimicking legitimate REST API URLs. The attack chain involves a malicious ZIP file, Windows Shortcut, PowerShell loader, and a multi-stage infection that drops PowMix. PowMix facilitates remote access, reconnaissance, and remote code execution while establishing persistence via scheduled tasks. The malware processes two different kinds of commands sent from the C2 server and opens a decoy document with compliance-themed lures as a distraction mechanism. PowMix shares tactical overlap with a campaign called ZipLine that was disclosed by Check Point in late August 2025, targeting supply chain-critical manufacturing companies. The botnet evades detection through randomized C2 beaconing intervals implemented via the Get-Random PowerShell command. RondoDox botnet is capable of exploiting over 170 known vulnerabilities to obtain initial access and drop a shell script that performs anti-analysis and removes competing malware.
The cybersecurity world has been left reeling by the discovery of a previously undocumented botnet dubbed PowMix, which has been targeting workers in the Czech Republic with a sophisticated campaign that employs randomized command-and-control (C2) beaconing intervals to evade network signature detections. According to Cisco Talos researcher Chetan Raghuprasad, the malware in question, PowMix, embeds encrypted heartbeat data along with unique identifiers of the victim machine into the C2 URL paths, mimicking legitimate REST API URLs.
The attack chain begins with a malicious ZIP file, likely delivered via a phishing email, to activate a multi-stage infection chain that drops PowMix. Specifically, it involves a Windows Shortcut (LNK) that is used to launch a PowerShell loader, which then extracts the malware embedded within the archive, decrypts it, and runs it in memory. The never-before-seen botnet is designed to facilitate remote access, reconnaissance, and remote code execution, while establishing persistence by means of a scheduled task.
One of the most striking features of PowMix is its ability to process two different kinds of commands sent from the C2 server. Any non #-prefixed response causes PowMix to shift to arbitrary execution mode, and decrypt and run the obtained payload. The malware also opens a decoy document with compliance-themed lures as a distraction mechanism, referencing legitimate brands like Edeka and including compensation data and valid legislative references.
Furthermore, Talos noted that the campaign shares some level of tactical overlap with a campaign dubbed ZipLine that was disclosed by Check Point in late August 2025, targeting supply chain-critical manufacturing companies with an in-memory malware called MixShell. Both campaigns employ similar tactics such as the use of ZIP-based payload delivery and scheduled task persistence.
The PowMix botnet is capable of evading detection through its use of randomized C2 beaconing intervals, which are implemented via a jitter via the Get-Random PowerShell command. This technique attempts to prevent detection of C2 traffic through predictable network signatures. The malware's remote management logic allows it to process commands from the C2 server and perform actions such as initiating a self-deletion routine and wiping traces of all malicious artifacts.
In related news, Bitsight shed light on the infection chain associated with the RondoDox botnet, highlighting the malware's evolving capabilities to illicitly mine cryptocurrency on infected systems using XMRig on top of existing distributed denial-of-service (DDoS) attack functionality. The findings paint a picture of an actively maintained malware that offers improved evasion, better resilience, aggressive competition removal, and an expanded feature set.
It is worth noting that RondoDox is capable of exploiting over 170 known vulnerabilities in various internet-facing applications to obtain initial access and drop a shell script that performs basic anti-analysis and removes competing malware before dropping the appropriate botnet binary for the architecture. The malware implements techniques such as nanomites, renaming/removing files, killing processes, and actively checking for debuggers during execution to hinder analysis.
The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority
Cybersecurity Webinars
Findings + Fixes from 600+ Leaders
How to Measure, Prioritize, and Close Identity Gaps in 2026
New 2026 Ponemon research reveals where mature identity programs still fall short and what leading organizations are doing to close the gap.
Register
RIdentity Framework for AI Agents
How to Deploy an Identity Layer for AI Agents in Production
AI agents need identity, but most teams are still figuring out how to implement it. This session cuts through the noise with a practical, production-ready framework.
Register
Cybersecurity Resources
Zscaler ThreatLabz 2026 VPN Risk Report
Your VPN is Helping Attackers Move as Fast as AIAI collapsed human response window and turned remote access into fastest path to breach.
Earn a Master's in Cybersecurity Risk Management
Lead the future of cybersecurity risk management with an online Master’s from Georgetown.
Related Information:
https://www.ethicalhackingnews.com/articles/Newly-Discovered-PowMix-Botnet-Hits-Czech-Workers-Using-Randomized-C2-Traffic-Leaving-Experts-Baffled-ehn.shtml
https://thehackernews.com/2026/04/newly-discovered-powmix-botnet-hits.html
https://blog.talosintelligence.com/powmix-botnet-targets-czech-workforce/
Published: Thu Apr 16 15:03:18 2026 by llama3.2 3B Q4_K_M
