Key Findings

• PowMix botnet has been actively targeting Czech workforce since at least December 2025 with previously undocumented malware

• Campaign uses randomized C2 beaconing intervals and encrypted heartbeat data embedded in REST API-mimicking URLs to evade detection

• Multi-stage attack chain initiated via phishing emails containing malicious ZIP files with Windows Shortcut (LNK) files

• PowerShell loader employs AMSI bypass techniques to execute botnet payload directly in memory without triggering security controls

• Lure documents impersonate EDEKA brand and reference Czech Data Protection Act to target HR, legal, and recruitment personnel

• Tactical overlaps with ZipLine campaign including ZIP-based payload delivery, scheduled task persistence, and abuse of Heroku for C2 infrastructure

• Final payload intentions remain unclear despite observed botnet capabilities for remote access and reconnaissance

Background

Cisco Talos researchers discovered an ongoing malicious campaign targeting the Czech Republic workforce through a previously undocumented botnet called PowMix. The campaign has been operating since at least December 2025 and demonstrates sophisticated evasion techniques designed to avoid network signature detection. The botnet's architecture relies on randomized command-and-control beaconing rather than persistent connections, a deliberate design choice to stay under the radar of traditional network monitoring systems.

C2 Communication and Evasion Techniques

PowMix implements several layers of obfuscation to maintain stealth. The botnet embeds encrypted heartbeat data along with unique victim machine identifiers directly into C2 URL paths, making malicious traffic appear as legitimate REST API communications to unsuspecting network monitoring systems.

The beaconing strategy employs randomized intervals that vary initially between 0 and 261 seconds, and subsequently between 1,075 and 1,450 seconds using PowerShell's Get-Random command. This jitter prevents defenders from identifying predictable network signatures associated with C2 traffic. Additionally, PowMix can dynamically update its C2 domain configuration file remotely, allowing attackers to pivot to new infrastructure if existing servers are identified and blocked.

Attack Delivery Mechanism

The infection chain begins when victims receive a phishing email containing a malicious ZIP file. Upon execution of the included Windows Shortcut file, a PowerShell loader script is triggered. This loader first creates a copy of the ZIP file in the victim's ProgramData folder, then extracts and executes the embedded PowMix botnet payload directly in memory.

The PowerShell loader includes sophisticated anti-analysis capabilities. It dynamically constructs folder paths to locate the original ZIP file and employs string obfuscation throughout its execution. The script searches for hardcoded markers within the ZIP file data blob to extract hidden, encoded commands embedded within the archive structure.

AMSI Bypass and Memory Execution

A critical component of the attack's success lies in its ability to disable Windows Defender and endpoint detection and response solutions. The PowerShell loader uses reflection techniques to locate the AmsiUtils class within loaded assemblies, then manually sets the amsiInitFailed field to true. This deception causes Windows security subsystems to believe AMSI initialization failed, effectively disabling real-time scanning and allowing subsequent malicious code to execute in memory undetected.

By running the botnet payload directly in memory rather than writing files to disk, the attack avoids triggering traditional file-based detection mechanisms. This approach significantly increases the likelihood that compromised systems go unnoticed during initial infection stages.

Victimology and Targeting

Attackers specifically targeted Czech organizations across multiple levels using carefully crafted social engineering lures. The decoy documents impersonate the legitimate EDEKA brand and reference authentic regulatory frameworks like the Czech Data Protection Act to enhance credibility. These documents include compensation data and legislative references designed to appeal to job aspirants across sectors including IT, finance, and logistics.

The targeting strategy suggests attackers were attempting to compromise personnel in human resources, legal, and recruitment departments. By leveraging compliance-themed lures and references to legitimate regulatory frameworks, attackers significantly increased the likelihood of successful phishing engagement from target populations who handle sensitive organizational documents as part of their routine work.

Connections to Previous Campaigns

Talos identified several tactical similarities between the PowMix campaign and the ZipLine campaign disclosed by Check Point in August 2025. Both campaigns utilize ZIP-based payload concealment, establish persistence through Windows scheduled tasks, and abuse the legitimate Heroku platform for command-and-control infrastructure.

Both campaigns also employ CRC32-based BOT ID generation for victim machine identification. However, the final payloads and ultimate intentions of the PowMix campaign remain unobserved, leaving significant gaps in understanding the attacker's long-term objectives beyond establishing botnet presence on compromised systems.

Command Execution and Persistence

PowMix establishes persistence by creating a scheduled task on compromised hosts. The botnet implements process tree verification to prevent multiple instances of the malware from running simultaneously, reducing resource consumption and potential detection risk.

The botnet processes two primary command types from the C2 server. Commands without a hash symbol prefix trigger arbitrary execution mode, where PowMix decrypts and executes the obtained payload. The KILL command initiates a self-deletion routine and removes traces of malicious artifacts from infected systems. The HOST command enables C2 migration to a new server URL when existing infrastructure is compromised.

As a distraction mechanism, the botnet opens decoy documents displaying the compliance-themed lure content while establishing malware persistence in the background, keeping user attention focused on the benign-appearing document rather than suspicious system activity.

Sources

• https://blog.talosintelligence.com/powmix-botnet-targets-czech-workforce/

• https://thehackernews.com/2026/04/newly-discovered-powmix-botnet-hits.html

• https://www.reddit.com/r/pwnhub/comments/1sn0cjp/powmix_botnet_pwns_czech_workforce/

• https://www.socdefenders.ai/item/6fb76940-1c49-4d27-b69e-53f80fc77ac8

• https://malware.news/t/powmix-botnet-targets-czech-workforce/106132