**PowMix** has been actively targeting the Czech Republic since at least December 2025. According to **Cisco Talos** researcher Chetan Raghuprasad, "PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections." ### Evasion Techniques The botnet’s design focuses on stealth and persistence: * **Randomized C2 Beaconing:** Instead of maintaining a constant connection, **PowMix** varies its communication intervals to avoid detection. * **Encrypted Heartbeat Data:** The botnet embeds encrypted data, including unique identifiers, within C2 URL paths, mimicking legitimate REST API requests. * **Dynamic C2 Updates:** **PowMix** can remotely update its C2 domain, ensuring continued operation even if the original server is compromised. ### Infection Chain The attack begins with a malicious ZIP file, likely distributed via phishing emails. This ZIP file contains a Windows Shortcut (LNK) file that executes a PowerShell loader. The loader then extracts, decrypts, and runs the **PowMix** malware in memory. ### Botnet Capabilities **PowMix** is designed for remote access, reconnaissance, and remote code execution. It establishes persistence using scheduled tasks and also verifies the process tree to avoid running multiple instances of itself on the same host. The botnet can process two types of commands from the C2 server: * `#KILL`: Initiates a self-deletion routine, removing all traces of the malware. * `#HOST`: Enables C2 migration to a new server URL. ### Distraction Tactics The malware also opens a decoy document with compliance-themed lures, referencing legitimate brands like **Edeka**, to distract the victim. These documents include compensation data and legislative references to appear credible.  ### Similarities to ZipLine Campaign **Talos** notes tactical overlaps with the **ZipLine** campaign, disclosed by **Check Point** in August 2025. Both campaigns use ZIP-based payload delivery, scheduled task persistence, and **Heroku** for C2 infrastructure. The **ZipLine** campaign targeted supply chain-critical manufacturing companies with the **MixShell** malware. ### RondoDox Botnet Evolution In related news, **Bitsight** has shed light on the evolving capabilities of the **RondoDox** botnet. This botnet now includes illicit cryptocurrency mining using **XMRig**, in addition to its existing DDoS capabilities. **RondoDox** exploits over 170 known vulnerabilities to gain initial access, dropping a shell script that removes competing malware before deploying its own binaries. According to **Bitsight** Principal Research Scientist João Godinho, the malware employs various anti-analysis techniques, including the use of nanomites, file renaming/removal, process termination, and debugger detection. The botnet can perform DoS attacks at the internet, transport, and application layers, depending on the commands received from its C2 server.