Analysis Summary

Cybersecurity researchers have detected a significant resurgence of the Prometei botnet, with a new campaign observed since March 2025. This iteration targets Linux servers using advanced tactics for Monero cryptocurrency mining and credential theft. The botnet, known for its dual-variant structure supporting both Linux and Windows, continues to evolve with increasingly stealthy and modular capabilities that allow attackers to maintain persistence, deploy additional payloads, and remotely control infected hosts. Prometei’s renewed operations highlight the persistent threat cryptomining malware poses to enterprise environments worldwide.

The attack campaign utilizes a variety of initial access vectors, including brute-force attacks, exploitation of SMB vulnerabilities, and the EternalBlue exploit linked to WannaCry. These enable Prometei to achieve lateral movement and broaden its reach within compromised networks. Analysts noted that this latest wave introduces more advanced evasion techniques such as a domain generation algorithm (DGA) for resilient command-and-control (C2) communication and self-updating functionality, allowing the malware to dynamically adapt to changing security conditions and remain undetected by conventional defenses.

The malware’s infection mechanism uses obfuscation tactics such as delivering payloads through HTTP GET requests that appear as benign .php files, though they actually contain 64-bit ELF executables. These payloads are packed using a modified version of UPX (Ultimate Packer for eXecutables), which disrupts standard unpacking tools. Additionally, the executables include a custom JSON trailer carrying operational parameters, varying by version. Newer versions introduce expanded fields such as ParentId, ParentHostname, and ParentIp, which improve C2 communication and hierarchical management within the botnet.

After deployment, Prometei conducts extensive system reconnaissance, gathering CPU details, motherboard specs, OS information, system uptime, and kernel data. This allows it to fine-tune mining operations based on available system resources while mapping the victim's infrastructure for deeper infiltration. Though not linked to any nation-state, the campaign exhibits hallmarks of a financially motivated cybercriminal enterprise. It aims to monetize compromised systems through mining while also harvesting credentials for future exploitation or sale on underground markets.

Impact

• Data Exfiltration
• Gain Access
• Crypto Theft
• Financial Loss

Indicators of Compromise

SHA1

• 362a181aa8fe8510d310ad5002cf7d3da4bb0953
• 4859c0130d72b75124165bd3fe35cee2567df4cf
• fd6140cc9442d0c86421e2ad38e94ee8d92f7af5
• 0e63417ca86579f2cf67f17b2f90e202232cc2a4
• fca60c058d697ebede625035f74913aa778dca53
• 29c15c73c2044f8ae269d18c93dc82c765b14886

URL

• http://152.36.128.18/cgi-bin/p.cgi
• http://103.41.204.104/k.php

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Apply all relevant security patches, especially those addressing EternalBlue (MS17-010) and SMB vulnerabilities.
• Enforce strong, complex passwords and enable multi-factor authentication (MFA) for SSH, SMB, and RDP services.
• Monitor and block network traffic to known malicious IPs and command-and-control domains associated with Prometei.
• Implement network segmentation and restrict SMB access to only necessary and trusted hosts.
• Deploy advanced threat detection solutions like EDR, IDS/IPS, and behavior-based analytics to catch stealthy activity.
• Inspect suspicious PHP or ELF payloads using sandboxing and reverse engineering; block downloads from unauthorized sources.
• Check for persistence mechanisms such as malicious cron jobs or startup scripts and remove them.
• Reset all credentials on compromised systems and monitor for reuse or abuse across your environment.
• Isolate infected machines from the network immediately and reimage if needed to ensure complete removal.