The Prometei botnet has experienced a notable resurgence in 2025, particularly with its Linux variant, marking it as a persistent and evolving threat to organizations worldwide. Originally discovered in July 2020 primarily targeting Windows systems, Prometei expanded to Linux in December 2020 and has since continued to evolve both in scope and technical sophistication.
Key Features and Capabilities
Prometei is built with a modular design, allowing attackers to update or replace individual components—such as those for credential brute-forcing, vulnerability exploitation, cryptocurrency mining, data theft, and command-and-control (C2) communication—without disrupting the overall botnet functionality. The latest versions (three and four) include a backdoor for remote control, domain generation algorithms (DGA) for resilient C2 infrastructure, and self-updating features that help the malware evade detection and adapt to security measures.
Prometei uses techniques such as brute-forcing credentials and exploiting vulnerabilities like EternalBlue and Server Message Block (SMB) flaws to spread within networks and maintain persistence. The primary objective remains cryptojacking, specifically mining Monero, but Prometei also has secondary capabilities such as credential theft and deploying additional malware payloads.
The botnet has infected over 10,000 systems globally, with notable activity in Brazil, Indonesia, and Turkey, and continues to target systems with inadequate cybersecurity practices.
Technical Details
• Delivery and Execution: The malware is distributed via HTTP GET requests from specific servers (e.g., hxxp://103.41.204.104/k.php) and operates as a 64-bit ELF file on Linux systems. It uses Ultimate Packer for eXecutables (UPX) compression to reduce file size and complicate static analysis.
• Data Collection: Prometei collects extensive system information, including processor details, OS data, and uptime statistics, which are sent to C2 servers.
• Custom Configuration: Recent versions include a custom JSON configuration trailer, adding another layer of complexity to analysis and unpacking.
Impact and Response
Organizations are encouraged to monitor for Indicators of Compromise (IoCs), including specific malware hashes and C2 URLs, and to contact incident response teams if compromise is suspected.
All about Prometei
| Feature | Description |
|---|---|
| Target OS | Windows, Linux (recent focus on Linux) |
| Primary Objective | Cryptocurrency mining (Monero) |
| Secondary Objectives | Credential theft, additional payload deployment |
| Evasion Techniques | DGA, self-updating, UPX compression, custom JSON config |
| Distribution | HTTP GET requests from compromised servers |
| Notable IoCs | Malware hashes (SHA-256), C2 URLs |
Prometei Indicators of Compromise (IoC)
| Type | Details |
|---|---|
| Malware Samples (SHA-256 Hash) |
v2.87X: 46cf75d7440c30cbfd101dd396bb18dc3ea0b9fe475eb80c4545868aab5c578c v3.05L: cc7ab872ed9c25d4346b4c58c5ef8ea48c2d7b256f20fe2f0912572208df5c1a v4.02V: Multiple hashes (see full report) |
| URLs (Malware Distribution) | hxxp://103.41.204[.]104/k.php |
| URLs (C2 Communication) | hxxp://152.36.128[.]18/cgi-bin/p.cgi |
