PowMix Botnet Targets Czech Organizations with Evasive C2 and AMSI-Bypassing Loader
Cisco Talos has uncovered PowMix, a previously undocumented botnet targeting Czech organizations since December 2025, using randomized C2 beaconing and AMSI-bypassing PowerShell loaders.
Cisco Talos has discovered a previously undocumented botnet, dubbed "PowMix," that has been actively targeting organizations in the Czech Republic since at least December 2025. The campaign employs a sophisticated, detailed in a new report, employs a sophisticated, multi-stage infection chain designed to evade detection at every turn, from initial compromise to command-and-control (C2) communication.
The PowMix botnet is delivered via a PowerShell loader triggered by a malicious Windows shortcut (LNK) file, likely distributed through phishing emails. The loader first copies a ZIP archive to the victim's ProgramData folder, then extracts and executes the PowMix payload directly in memory. Crucially, the loader employs a reflection-based AMSI (Antimalware Scan Interface) bypass, setting the `amsiInitFailed` field to `true` to disable real-time scanning by Windows Defender and other endpoint detection and response (EDR) solutions.
Once active, PowMix communicates with its C2 server using a highly evasive technique. Instead of maintaining a persistent connection, it uses randomized beaconing intervals and embeds encrypted heartbeat data—including unique victim machine identifiers—into URL paths, mimicking legitimate REST API traffic. The botnet also has the capability to dynamically update its C2 domain, allowing attackers to rotate infrastructure and evade network-based signature detections.
Talos observed that the campaign abuses the legitimate cloud platform Heroku for C2 operations, hosting malicious domains under `herokuapp.com`. The attackers have also employed compliance-themed lures, impersonating the EDEKA brand and referencing the Czech Data Protection Act, to target victims in human resources, legal, and recruitment agencies. Decoy documents include compensation data and legislative references to entice job aspirants across IT, finance, and logistics sectors.
Tactical overlaps with the previously reported ZipLine campaign, which deployed the MixShell malware, were identified. These include identical ZIP-based payload concealment, Windows scheduled task persistence, CRC32-based BOT ID generation, and the abuse of Heroku for C2 infrastructure. However, Talos noted that the final payload's intent in the PowMix campaign remains unknown, as the attacker's ultimate objective was not observed.
The discovery of PowMix highlights the continued evolution of botnet operations, with threat actors adopting increasingly sophisticated evasion techniques and leveraging legitimate cloud services for infrastructure. The targeting of Czech organizations across multiple sectors suggests a broad, opportunistic campaign, and the use of AMSI bypass and randomized C2 beaconing underscores the need for advanced detection capabilities beyond traditional signature-based methods.