A sophisticated, previously undocumented botnet campaign dubbed “PowMix” has been actively targeting employees across the Czech Republic since at least December 2025.
Deploying advanced evasion techniques to bypass endpoint security controls and establish persistent remote access on compromised systems.
PowMix Botnet
PowMix is a PowerShell-based botnet engineered for remote access, reconnaissance, and remote code execution on victim machines.
The malware was previously unreported and stands out for its use of randomized command-and-control (C2) beaconing, in-memory execution, and dynamic C2 infrastructure migration. This combination makes it exceptionally difficult for conventional network and endpoint defenses to detect.
The botnet is delivered via a phishing email containing a malicious ZIP archive once the victim opens the archive and executes the embedded Windows Shortcut (.LNK) file, a multi-stage infection chain is initiated.
The LNK file triggers a PowerShell loader that extracts and decrypts the PowMix payload from the ZIP blob, executing it entirely in memory and leaving minimal forensic traces on disk.
Targeted Sectors and Social Engineering Lures
It is observed that the threat actor deliberately cast a wide net across Czech organizations, targeting professionals in HR, legal, recruitment, IT, finance, and logistics. The campaign heavily relies on social engineering to increase credibility.
Attackers crafted lure documents that impersonate the legitimate EDEKA brand and reference authentic regulatory frameworks such as the Czech Data Protection Act.
Compensation tables and real legislative references were embedded in decoy documents to deceive job aspirants and compliance-focused employees into trusting and engaging with the malicious content.
These meticulously designed documents serve as distraction mechanisms while the PowMix payload silently executes in the background.
Technical Infection Chain and AMSI Bypass
The infection begins when the victim runs the LNK shortcut from the received ZIP file. The PowerShell loader script immediately creates a staging copy of the archive in the victim’s ProgramData folder.
It then applies an AMSI (Antimalware Scan Interface) bypass using reflection techniques, specifically, it locates the AmsiUtils class via loaded assemblies. It sets the amsiInitFailed field to true, effectively turning off real-time scanning by Windows Defender and EDR solutions.
The loader identifies a hardcoded marker (e.g., zAswKoK) embedded in the ZIP data blob as a delimiter, extracts a hidden encoded payload, reconstructs the secondary PowerShell script via string replacements, and executes it in memory using Invoke-Expression (IEX).
PowMix C2 Communication and Evasion Tactics
Once active, PowMix implements several layers of detection evasion in its C2 communication strategy:
Jittered beaconing: Rather than maintaining persistent C2 connections, PowMix uses PowerShell’s Get-Random command to vary beaconing intervals initially between 0 and 261 seconds, then between 1,075 and 1,450 seconds, preventing detection via predictable network signatures.
REST API URL mimicry: PowMix constructs C2 URLs by embedding a Bot ID (derived from a CRC32-style checksum of the machine’s Windows ProductID), a configuration file hash, an XOR-encrypted heartbeat, a hexadecimal Unix timestamp, and a random-length hex suffix. This makes every beacon URL unique and mimics legitimate REST API call patterns.
Browser traffic spoofing: PowMix sets a Chrome User-Agent string and configures Accept-Language (en-US) and Accept-Encoding headers. It also leverages GetSystemWebProxy with DefaultCredentials to adopt the host machine’s proxy settings and authenticated session tokens, disguising C2 traffic as routine web browsing.
Dynamic C2 migration: The #HOST command allows the attacker to remotely update the C2 domain stored in PowMix’s encrypted local configuration file, enabling seamless evasion of domain blocklists.
Persistence and Remote Commands
PowMix establishes persistence by creating a Windows scheduled task named using a concatenation of the Bot ID and configuration hash, resulting in an innocuous-looking random hexadecimal string (e.g., 289c2e236761).
The task triggers at 11:00 AM daily, launching Windows Explorer with the malicious LNK file as an argument to re-execute the loader.
A global mutex named Global\[BotID] prevents multiple instances of PowMix from running simultaneously across user sessions.
The malware also verifies its parent process context, restarting itself in privileged context if not running under svchost.exe or powershell.exe.
PowMix handles two key remote management commands from its C2 server:
- #KILL – Silently removes scheduled task persistence via
Unregister-ScheduledTaskand wipes all malware files usingRemove-Item -Recurse -Force - #HOST – Updates the C2 domain to a new address, encrypting and saving it to the local configuration file for future beaconing cycles
Overlaps With ZipLine Campaign
According to Talos, significant tactical overlaps have been identified between PowMix and the ZipLine campaign, which targeted supply chain-critical manufacturing companies using an in-memory malware called MixShell.
Shared TTPs include identical ZIP-based payload concealment, Windows scheduled task persistence, CRC32-based Bot ID generation, and abuse of Heroku (herokuapp.com) for C2 infrastructure.
While the overlaps suggest a possible operational connection, the final payloads and ultimate objectives of the PowMix campaign remain unknown.
Detection, Coverage, and IOCs
Cisco Talos has released ClamAV signatures to detect and block PowMix, including:
Lnk.Trojan.PowMix-10059735-0Txt.Trojan.PowMix-10059742-0Win.Trojan.PowMix-10059728-0
Snort Rules (SID 66118) for both Snort2 and Snort3 are also available. All IOCs, including C2 domains and file hashes, are published.
Organizations in the Czech Republic, particularly those in HR, legal, and logistics, are strongly urged to enforce email filtering, monitor for anomalous PowerShell activity, and audit scheduled tasks for random hexadecimal names.
FAQ
Q1: What is the PowMix botnet?
PowMix is a previously undocumented PowerShell-based botnet discovered by Cisco Talos, active since December 2025, targeting Czech Republic workers with remote access, reconnaissance, and code execution capabilities via phishing-delivered LNK files.
Q2: How does PowMix evade detection?
PowMix bypasses AMSI using reflection-based techniques, uses jittered C2 beaconing intervals, mimics REST API URLs with unique per-request paths, and spoofs Chrome browser headers to disguise C2 traffic as legitimate web activity.
Q3: Which sectors are targeted by the PowMix botnet campaign?
The campaign targets Czech professionals in the HR, legal, recruitment, IT, finance, and logistics sectors, using EDEKA-branded decoy documents and references to the Czech Data Protection Act as social engineering lures.
Q4: How is PowMix related to the ZipLine malware campaign?
Both campaigns share tactical overlaps, including ZIP-based payload delivery, CRC32 Bot ID generation, scheduled task persistence, and Heroku C2 abuse. However, the final payload and intent of PowMix remain unconfirmed by researchers.
Site: http://thecybrdef.com
About the Author
