An up to date variant of the Prometei malware is making the rounds, and exercise related to the botnet has surged over the previous months, Palo Alto Networks experiences.
A modular botnet initially found in July 2020, Prometei targets each Home windows and Linux methods for an infection, primarily for cryptocurrency mining and credential exfiltration.
The newest model of the malware, nevertheless, features a backdoor for extra malicious actions, integrates self-updating options, and depends on a website era algorithm (DGA) for command-and-control (C&C) server connectivity.
Prometei’s varied modules permit it to brute-force administrator passwords, exploit vulnerabilities, transfer laterally, steal victims’ information, set up C&C communication, and mine for cryptocurrency (notably Monero).
A February 2025 evaluation of a current malware pattern revealed that it was attaining persistence by making a service and a scheduled cron job, lacked a hardcoded mining pool, and will course of extra instructions obtained from its operators.
The newest iteration of the risk, noticed in March 2025, is packed utilizing Final Packer for eXecutables (UPX), which makes it smaller, Palo Alto Networks says.
Focusing on Linux methods, it decompresses itself in reminiscence throughout runtime and executes the ultimate payload, in order that the botnet can begin its operations.
The malware harvests broad system data, together with processor and motherboard data, OS particulars, system uptime information, and Linux kernel data. The information is shipped to the C&C server through an HTTP GET request.Commercial. Scroll to proceed studying.
The brand new Prometei model additionally reveals a deal with evading detection, whereas its emergence and spike in exercise display that it’s beneath lively improvement, Palo Alto Networks says.
“Whereas its major purpose is cryptocurrency (Monero) mining, Prometei additionally possesses secondary capabilities, akin to stealing credentials and deploying extra malware payloads. We assess that Prometei’s operations seem pushed by monetary achieve, and there’s no proof of ties to nation-state actors,” the cybersecurity agency notes.
Associated: Chinese language APT Hacking Routers to Construct Espionage Infrastructure
Associated: Latest Langflow Vulnerability Exploited by Flodrix Botnet
Associated: Not too long ago Disrupted DanaBot Leaked Useful Knowledge for 3 Years
Associated: 40,000 Safety Cameras Uncovered to Distant Hacking
