Cybersecurity researchers said a previously undocumented botnet called PowMix has been used in an active campaign against workers in the Czech Republic since at least December 2025, with the malware designed to support remote access, reconnaissance and remote code execution.
KEY FACTS
- Targeting The campaign has focused on the Czech Republic.
- Delivery Infections start with a malicious ZIP file, likely sent in phishing email.
- Behavior PowMix uses randomized beaconing and embeds encrypted heartbeat data in URL paths.
- Commands It supports #KILL for self-deletion and #HOST for C2 migration.
A technical analysis from Cisco Talos said the attack chain begins with a ZIP archive that drops a Windows Shortcut file, which then launches a PowerShell loader. The loader extracts the malware, decrypts it and runs it in memory.
The report said PowMix creates persistence through a scheduled task and checks the process tree to avoid running multiple copies on the same host. It also opens a decoy document with compliance-themed lures, including references to legitimate brands, compensation data and legislative material.
PowMix does not maintain a persistent connection to its command server. Instead, the report said it uses jittered beaconing intervals that begin between 0 and 261 seconds and later extend to 1,075 to 1,450 seconds, a tactic meant to make network detection harder.
Talos said the campaign overlaps in some ways with the ZipLine operation disclosed by Check Point in August 2025, including ZIP-based delivery, scheduled task persistence and use of Heroku for command and control. No final payloads beyond the botnet malware have been observed, leaving the purpose of the operation unclear.
WHY IT MATTERS
The findings show how threat actors are combining phishing-style delivery, in-memory execution and evasive beaconing to make malware harder to detect and remove. The campaign also leaves open whether the botnet is a platform for later attacks or a standalone operation.