Cybersecurity researchers have uncovered a big resurgence of the Prometei botnet, a classy malware operation concentrating on Linux servers for cryptocurrency mining and credential theft.
This newest marketing campaign, noticed since March 2025, demonstrates the evolving nature of cryptomining malware and its persistent risk to enterprise infrastructure worldwide.
The Prometei botnet represents a dual-threat malware household encompassing each Linux and Home windows variants, designed primarily to hijack computational assets for Monero cryptocurrency mining whereas concurrently stealing credentials from compromised techniques.
Palo Alto Networks analysts recognized this new wave of assaults in March 2025, noting important enhancements within the malware’s stealth capabilities and operational sophistication in comparison with earlier iterations.
The botnet operates by way of a modular structure that permits attackers to remotely management contaminated techniques, deploy extra payloads, and preserve persistent entry to compromised networks.
Initially found in July 2020 with its Home windows variant taking preliminary priority, the Linux model emerged in December 2020 and has since undergone steady growth.
The malware employs a number of assault vectors together with brute-force credential assaults, exploitation of the infamous EternalBlue vulnerability related to WannaCry ransomware, and manipulation of Server Message Block protocol vulnerabilities to attain lateral motion inside goal networks.
This multi-pronged strategy permits Prometei to quickly broaden its footprint as soon as it good points preliminary entry to a corporation’s techniques.
The monetary motivation behind Prometei operations seems clear, with researchers discovering no proof linking the botnet to nation-state actors.
As an alternative, the marketing campaign demonstrates traits in keeping with profit-driven cybercriminal enterprises in search of to monetize compromised infrastructure by way of cryptocurrency mining whereas opportunistically harvesting beneficial credentials for potential secondary exploitation or sale on underground markets.
The present iteration incorporates superior evasion methods together with a site technology algorithm for command-and-control infrastructure resilience and self-updating capabilities that allow the malware to adapt to safety defenses dynamically.
These enhancements make detection and mitigation considerably tougher for conventional safety options.
Technical An infection Mechanism and Distribution
The newest Prometei variants make use of subtle distribution and unpacking mechanisms that considerably complicate evaluation efforts.
The malware distributes itself by way of HTTP GET requests to a particular server situated at hxxp[://]103.41.204[.]104/ok.php?a=x86_64, with variations permitting dynamic ParentID project by way of the parameter hxxp[://]103.41.204[.]104/ok.php?a=x86_64,.
Interpretation of the UPX PackHeader and overlay_offset trailer for the pattern (Supply – Palo Alto Networks)
Regardless of the deceptive .php filename, the payload consists of a 64-bit ELF executable designed particularly for Linux techniques, representing a deliberate obfuscation tactic.
The malware employs Final Packer for eXecutables (UPX) compression to cut back file dimension and complicate static evaluation procedures.
Nevertheless, the implementation features a crucial modification that stops commonplace UPX decompression instruments from functioning accurately.
The builders append a customized configuration JSON trailer to the packed executable, disrupting the UPX instrument’s skill to find important metadata together with the PackHeader and overlay_offset trailer crucial for profitable decompression.
This configuration trailer incorporates important operational parameters that change between malware variations. Whereas model two supported primary fields similar to config, id, and enckey, newer variations three and 4 incorporate extra parameters together with ParentId, ParentHostname, ParentIp, and ip fields.
These enhancements allow extra subtle command-and-control communication and hierarchical botnet administration capabilities.
As soon as efficiently deployed, Prometei implements complete system reconnaissance by gathering processor data from /proc/cpuinfo, motherboard particulars by way of dmidecode –type baseboard instructions, working system specs from /and so on/os-release or /and so on/redhat-release, system uptime knowledge, and kernel data through uname -a instructions.
This intelligence gathering allows the malware to optimize its mining operations based mostly on obtainable {hardware} assets whereas offering attackers with detailed infrastructure mapping for potential lateral motion actions.
Are you from SOC/DFIR Groups! – Work together with malware within the sandbox and discover associated IOCs. – Request 14-day free trial
