![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaSAtFbXFX7aYFcwPPrHEMwEZ4VJp2mJQuYo3B3Q2Zrot1co_ilMUWffYOUUFHFRO6zwHHjlMCMOJcbnc_iF69KLU_1LpMhcfFk5YV8A4cdIchhqR1NQGEvyzpHGidnbvqwq2Tg_Y77VwMCpeSSluD8sPRcusqiraqLMCvUCA-QvUv5nCuh2Ns1U2jxNR1/s1600/powmix.jpg\")
Cybersecurity experts have raised an alarm about an ongoing malicious campaign that is specifically targeting employees in the Czech Republic with a newly discovered botnet named PowMix since December 2025.
“PowMix uses randomized command-and-control (C2) beaconing intervals to avoid detection by network signature scans,” stated Chetan Raghuprasad, a researcher at Cisco Talos, in a report released today.
“The botnet encrypts heartbeat data and victim machine identifiers into the C2 URL paths, mimicking legitimate REST API URLs. PowMix can dynamically update the C2 domain in the botnet configuration file remotely.”
The attack sequence starts with a malicious ZIP file, likely distributed via a phishing email, to trigger a multi-stage infection process that deploys PowMix. This involves a Windows Shortcut (LNK) that initiates a PowerShell loader, which then extracts and runs the malware embedded in the archive in memory.
This previously unseen botnet is designed to enable remote access, reconnaissance, and remote code execution while establishing persistence through a scheduled task. It also checks the process tree to ensure no other instances of the malware are running on the compromised system.
PowMix’s remote management feature allows it to execute two types of commands from the C2 server. Any response not starting with # prompts PowMix to switch to arbitrary execution mode and run the received payload.
- #KILL, to trigger self-deletion and erase all malicious artifacts
- #HOST, to shift C2 communication to a new server URL
Simultaneously, the botnet opens a decoy document with compliance-related content to distract users. These documents mention reputable brands like Edeka and contain compensation information and legal references, possibly to enhance credibility and deceive recipients, such as job seekers.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVQYe_vwKTjwRa-O_OP8rzoeOfttlDK0u2tZNjcQHrXWzFN1ezT7g6x1mOr-bqRKS3sQUqZ5dsAe4VNs_lTWVyArHHnrbYCTJ39hZ-5qOeiV1FBA144k42DS3KR2vjrk1q-rRHDxfaZy7stU0q4wxPz9nXcc7tvT3xVceAotxsjMEQqK1_CPC9_VIVFtPX/s1600/attack.jpg\")
Talos noted that this campaign shares similarities with a prior campaign called ZipLine, identified by Check Point in August 2025, which targeted manufacturing companies with a malware known as MixShell.
Both campaigns use ZIP-based payload delivery, scheduled task persistence, and exploit Heroku for C2 communication. However, the exact motives behind PowMix remain unclear as no final payloads beyond the botnet malware have been observed.
“PowMix avoids continuous connections to the C2 server by implementing a jitter technique to vary beaconing intervals, preventing detection through predictable network signatures,” according to Talos.
These revelations coincide with Bitsight’s analysis of the infection chain associated with the RondoDox botnet, highlighting the malware’s ability to mine cryptocurrency using XMRig and conduct DDoS attacks.
The evolving capabilities of RondoDox demonstrate improved evasion tactics, resilience, competition removal, and an expanded feature set.
RondoDox exploits over 170 known vulnerabilities in internet-facing applications to gain access, remove competing malware, and perform DoS attacks at different layers depending on the commands from the C2 server.
“The bot implements various techniques to hinder analysis, including the usage of nanomites, file renaming/removal, process termination, and debugger detection,” explained João Godinho, a Principal Research Scientist at Bitsight.
“RondoDox is capable of running DoS attacks at the internet, transport, and application layers, based on the commands it receives from the C2 server.”
