Cybersecurity researchers have identified a new botnet dubbed PowMix, which has been targeting the Czech workforce since late 2025. The malware utilizes randomized command-and-control (C2) beaconing intervals and URL paths mimicking legitimate REST APIs to bypass network signature detections. Delivered via phishing emails containing malicious ZIP files, the multi-stage infection chain employs Windows Shortcut (LNK) files and PowerShell loaders to execute the final payload directly in memory.
Once active, PowMix provides remote access and code execution capabilities while maintaining persistence through scheduled tasks. It features specialized commands for self-deletion and dynamic C2 server migration to evade discovery. Additionally, the report highlights the evolution of the RondoDox botnet, which now incorporates cryptocurrency mining and advanced anti-analysis features like nanomites, reflecting a broader trend of increasing complexity and resilience in modern malicious operations.
Top comments (0)