Ddos 
Attack summary flow chart | Image: Cisco Talos
Cybersecurity researchers have exposured the curtain on a sophisticated, previously undocumented botnet that has been silently compromising organizations across the Czech Republic for months. Dubbed “PowMix,” the malware has been operating under the radar since at least December 2025, utilizing advanced evasion techniques and psychological lures to infiltrate HR, legal, and recruitment departments.
A new investigative report from Cisco Talos reveals that the campaign is not merely a random strike but a highly targeted operation that weaponizes the trust of job seekers and compliance professionals.
The threat actors behind PowMix demonstrate a deep understanding of their targets’ professional environment. By impersonating the well-known EDEKA brand and referencing authentic regulatory frameworks like the Czech Data Protection Act, attackers deploy the decoy documents designed to deceive even the most cautious employees.
In many cases, the lures include legitimate compensation data and legislative references to entice job aspirants in the IT, finance, and logistics sectors. These documents serve as a distraction mechanism while the actual infection chain executes in the background.
The infection begins with a malicious ZIP file containing a Windows shortcut (LNK). When the victim runs the shortcut, it triggers a PowerShell loader that extracts the botnet from a hidden data blob within the archive.
To ensure it can operate without interference, the loader immediately targets the Windows Antimalware Scan Interface (AMSI). Using a reflection technique, the script locates the AmsiUtils class and manually sets the amsiInitFailed field to true.
As the report explains, “This action deceives the Windows security subsystem into thinking that AMSI has not initialized, which disables real-time scanning of subsequent commands”. This allows the malware to run purely in memory, invisible to standard endpoint detection and response (EDR) solutions.
PowMix is designed for longevity and stealth. Unlike traditional botnets that maintain constant contact with a server, “PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections”.
The communication logic is particularly clever:
- REST API Mimicry: The malware embeds encrypted heartbeat data and unique victim machine identifiers directly into C2 URL paths, effectively “mimicking legitimate REST API URLS” to blend in with normal web traffic.
- Jitter and Beaconing: It uses the Get-Random command to vary its beaconing intervals, ranging from a few seconds to over 24 minutes, to break the predictable patterns that network defenders look for.
- Heroku Abuse: Much like the earlier ZipLine campaign, PowMix leverages the legitimate cloud platform Heroku to host its infrastructure.
PowMix provides the attacker with a versatile toolkit for remote management. The botnet facilitates two specific administrative commands:
- #KILL: This command triggers a “self-deletion routine” that unregisters the scheduled task used for persistence and wipes the malware’s directory, leaving investigators with empty hands.
- #HOST: This enables C2 infrastructure migration. By remotely updating the configuration file with a new domain, the botnet can “evade domain blacklisting” and move to a clean server without losing its victims.
Researchers noted significant tactical overlaps between PowMix and the ZipLine (MixShell) campaign reported in 2025. These similarities—including ZIP-based payload concealment, Windows-scheduled task persistence, and the abuse of herokuapp.com—suggest that the actors behind PowMix are refining a proven and successful strategy.
While the ultimate goal of the campaign remains unknown, the focus on HR and recruitment indicates a primary interest in corporate espionage, data exfiltration, or establishing a foothold for future lateral movement.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
