A new botnet dubbed PowMix has been observed targeting employees and job seekers in the Czech Republic, according to Cisco Talos researchers. The campaign combines phishing emails, Windows shortcut (LNK) files, and in-memory PowerShell malware to evade detection, highlighting how attackers are refining both social engineering and technical stealth.
Targeted phishing against employees and job seekers
The PowMix operation begins with malicious ZIP archives delivered via convincing phishing emails. Messages are crafted around regulatory compliance, compensation, and HR‑related topics, which are highly relevant for candidates, HR staff, and finance teams. Lure documents reference well‑known brands such as Edeka and real labor law concepts to create an impression of legitimacy.
By aligning the content with typical corporate workflows and recruitment processes, the attackers reduce suspicion and increase the likelihood that users will open attachments and execute the embedded shortcut, effectively turning standard business communication channels into an infection vector.
Infection chain: ZIP, LNK shortcut, and in‑memory PowerShell execution
Inside the ZIP archive, victims find a Windows LNK file masquerading as a document or work file. When opened, the shortcut launches a PowerShell loader instead of a benign document. This script extracts an embedded payload from the archive, decrypts it, and executes it directly in system memory.
This in‑memory execution technique leaves minimal traces on disk and significantly complicates detection by traditional antivirus and many endpoint detection and response (EDR) tools that rely heavily on file‑based signatures. Similar abuse of PowerShell and other scripting engines has been a recurring theme in incident reports and in studies such as the Verizon Data Breach Investigations Report, confirming that script‑based malware remains a key enterprise threat.
PowMix capabilities: remote access, persistence, and stealthy C2 traffic
Remote control and single‑instance execution
PowMix functions primarily as a remote access tool (RAT). Once deployed, it enables operators to perform host reconnaissance, move laterally within the network, and execute arbitrary code. For persistence, PowMix creates a Scheduled Task, ensuring the malware is relaunched automatically after system reboots.
Before starting a new instance, PowMix checks the process tree to verify that no other copy is already running on the same host. This avoids resource contention and reduces abnormal activity that could trigger behavioral alerts, supporting a quieter, longer‑term presence.
Randomized beaconing and REST‑like C2 communication
A distinctive feature of PowMix is its command‑and‑control (C2) communication strategy. Instead of maintaining a constant connection, the bot periodically sends beacons to the C2 server at randomized intervals generated with the Get-Random PowerShell command. Initial delays range from 0 to 261 seconds, later expanding to 1,075–1,450 seconds for lower‑frequency check‑ins.
This jitter frustrates signature‑based and pattern‑based network detection. Additionally, PowMix embeds encrypted heartbeat data and unique host identifiers directly in the URL path, making traffic resemble legitimate REST API requests over HTTP. To many security controls, this appears as routine web service communication rather than malicious C2, complicating detection in high‑volume corporate environments.
Tactical overlap with ZipLine and abuse of Heroku C2 infrastructure
Researchers note strong tactical similarities between PowMix and the ZipLine campaign documented by Check Point in August 2025, which targeted manufacturing and supply‑chain‑critical organizations. Both operations rely on ZIP archives, persistence via Scheduled Tasks, and the abuse of Heroku as C2 infrastructure. Earlier, the MixShell component in ZipLine was also executed in memory, mirroring PowMix’s fileless approach.
In the current PowMix activity, no secondary payloads beyond the botnet itself have yet been observed. This leaves the ultimate objective open to interpretation, ranging from long‑term espionage and access staging for future operations to eventual monetization via ransomware or data theft.
RondoDox botnet: mass exploitation, DDoS, and cryptomining
In parallel, Bitsight has documented a separate botnet, RondoDox, which contrasts with PowMix’s targeted approach. RondoDox focuses on mass compromise of internet‑exposed systems, combining DDoS functionality with illicit cryptocurrency mining using XMRig. The botnet is capable of exploiting more than 170 known vulnerabilities in web applications and services to gain initial footholds.
After exploiting a vulnerability, attackers deploy a shell script that performs basic anti‑analysis checks, removes competing malware, and downloads a RondoDox binary tailored to the victim’s CPU architecture, maximizing performance and stability across heterogeneous environments.
Anti‑analysis techniques and multi‑layer DDoS attacks
RondoDox embeds a broad set of anti‑analysis mechanisms, including nanomites, aggressive file renaming and deletion, process termination, and active debugger detection during runtime. These techniques impede reverse engineering and sandboxing, prolonging the botnet’s operational lifetime.
Once established, RondoDox receives instructions from its C2 infrastructure to launch denial‑of‑service attacks at the network, transport, and application layers. This multi‑vector capability allows operators to overwhelm victim infrastructure, support extortion schemes, or offer DDoS‑for‑hire services to third parties.
The emergence of PowMix and RondoDox illustrates the rapid evolution of botnets, which now blend stealthy infection chains, advanced evasion, and modular monetization mechanisms. Organizations in Czechia and worldwide should reinforce email security gateways, closely monitor and restrict the use of PowerShell and other system interpreters, and promptly patch vulnerable internet‑facing services. Deploying behavioral network analytics, monitoring outbound traffic to cloud PaaS platforms such as Heroku, and regularly training staff—especially HR and finance teams—to recognize phishing and unusual attachments can significantly reduce the risk of compromise by this new generation of botnets.
