""PowMix employs randomized command-and-control (C2) beaconing intervals, rather than persistent connection to the C2 server, to evade the network signature detections.""
""The attack chain begins with a malicious ZIP file, likely delivered via a phishing email, to activate a multi-stage infection chain that drops PowMix.""
""PowMix's remote management logic allows it to process two different kinds of commands sent from the C2 server.""
""In parallel, it also opens a decoy document with compliance-themed lures as a distraction mechanism.""
PowMix is a previously undocumented botnet actively targeting the workforce in the Czech Republic since December 2025. It employs randomized command-and-control beaconing intervals to evade detection. The attack begins with a malicious ZIP file delivered via phishing, leading to a multi-stage infection. PowMix facilitates remote access and code execution while ensuring persistence. It can dynamically update its C2 domain and execute commands from the C2 server, including self-deletion and server migration. Additionally, it uses decoy documents to distract victims.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]