Prometei
Prometei is a modular, multi-stage botnet and malware family active since at least 2016 and first publicly documented in 2020. It has both Windows and Linux variants and is primarily used for Monero cryptocurrency mining, but supporting reporting also attributes credential theft, remote control/backdoor functionality, data exfiltration, additional payload delivery, and lateral movement to the malware. Prometei has worm-like propagation capabilities and has been observed spreading via brute-forced or weak credentials, especially against RDP, SMB, SSH, and MS SQL services; using PsExec and WMI; exploiting EternalBlue and BlueKeep; abusing SQL xp_cmdshell; and exploiting Microsoft Exchange vulnerabilities including CVE-2021-27065 and CVE-2021-26858, as well as unpatched ProxyLogon-related systems. On Windows, Prometei commonly installs or copies itself as C:\Windows\sqhost.exe or C:\Windows\svchost.exe, establishes persistence through a service named UPlugPlay, and may deploy modules such as rdpcIip.exe for spreading, miwalk.exe for Mimikatz-based credential theft, windrlver.exe for SSH propagation, nethelper2.exe and nethelper4.exe for SQL/PostgreSQL targeting, msdtc.exe and smcard.exe for Tor/I2P communications, SearchIndexer.exe as an XMRig miner, and netdefender.exe or ExchDefender.exe to block competing intruders or remove web shells. On Linux, Prometei has been observed installing as /usr/sbin/uplugplay, persisting via systemd and cron, storing a CommId identifier, communicating over HTTP/1.0 and via Tor or I2P, and deploying XMRig as /usr/sbin/updatecheckerd. Reported command capabilities include sysinfo, exec, wget, xwget, chkport, updatev4, start_mining, stop_mining, touch, extip, quit, quit2, tcp_bind, tcp_stop, udp_stop, sha256chk, chkxwget, and file-transfer commands such as fgetcrypt, which has been reported to use RC4 for encrypted exfiltration. Prometei has used RC4 in parts of its communications, UPX packing and custom obfuscation, self-updating features, a domain generation algorithm, and appended configuration data in newer Linux samples. Reported indicators include C2 or distribution infrastructure such as p1.feefreepool[.]net, p3.feefreepool[.]net, bk1.bitspiritfun2[.]net, gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei.cgi, 103.41.204[.]104/k.php, 152.36.128[.]18/cgi-bin/p.cgi, 178.21.164[.]68, and 211.23.16[.]239/prometheus.php. Reporting consistently describes Prometei as financially motivated rather than a nation-state tool, though multiple sources characterize it as Russian-linked or likely operated by Russian-speaking cybercriminals. Victims have been observed across sectors including finance, insurance, retail, manufacturing, utilities, travel, construction, and broadly across Windows Server and Linux environments worldwide.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Having thus obtained usernames and passwords for computers with MS SQL installed, the attackers used the T-SQL function xp_cmdshell to run several PowerShell scripts and elevated the privileges of the current user by exploiting the CVE-2016-0099 vulnerability. | The parties responsible for its distribution turned out to be the Prometei malware family and a new family called Cliptomaner.
Prometei has a history of exploiting various vulnerabilities. It uses techniques such as brute-forcing credentials, leveraging EternalBlue (the infamous Windows exploit linked to the WannaCry ransomware) and exploiting Server Message Block (SMB) protocol flaws to spread laterally within networks. | In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it. This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft.
A remote desktop protocol (RDP)-based spreading module, “bklocal2.exe” and “bklocal4.exe”, exploits the BlueKeep vulnerability (CVE-2019-0708) that affects older versions of Windows. | Prometei, a highly modular botnet with worm-like capabilities that primarily deploys the Monero cryptocurrency miner, has been continuously improved and updated since it was first seen in 2016, posing a persistent threat to organizations.
Cisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling "Prometei" ... employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency.
the attackers exploited recently published Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and install malware | Prometei is a modular and multi-stage cryptocurrency botnet that was first discovered in July 2020 which has both Windows and Linux versions.
the attackers exploited recently published Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and install malware | Prometei is a modular and multi-stage cryptocurrency botnet that was first discovered in July 2020 which has both Windows and Linux versions.
Techniques & procedures
33 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
We assess with high confidence that v3 of the Prometei botnet is of medium size, with more than 10,000 infected systems worldwide... A simple domain-generating algorithm (DGA) is used to generate up to 48 new domains per day that can be used for command and control (C2) servers.
Initial Access
1 technique
Initial Access
Execution
5 techniques
Execution
The actor employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits.
The following list of commands was available in the examined binary: ... exec executes a binary on the system from a path ... wget downloads a file from a URL ... xwget downloads a file from a URL with a 1-byte XOR operation
the attackers used the T-SQL function xp_cmdshell to run several PowerShell scripts
Persistence
3 techniques
Persistence
Having thus obtained usernames and passwords for computers with MS SQL installed, the attackers used the T-SQL function xp_cmdshell
The spreader then changes the registry value: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential to 1 so the credentials are stored in memory and retrieved using techniques employed by the password-stealer module.
Talos observed the Prometei bot dropping a compressed archive, named “AppServ180.zip”, which contains a version of the Apache Web Server bundled with a simple PHP-based web shell... This PHP file contains the simple web shell code that receives base64-encoded commands executed through PHP’s “system” function and a file upload-copy ability.
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
The primary module is downloaded from an actor-controlled server in an encrypted form through a simple XOR byte alteration pattern... update.7z, which is encrypted with the common actor password “horhor123”... the main body of the bot is encrypted...
Later versions of this malware released in March 2025 are packed using Ultimate Packer for eXecutables (UPX)... UPX is used to compress the executable, making it smaller and potentially more difficult to analyze.
Despite the file being named k.php , it is not a PHP script, likely a tactic to further disguise its true nature.
The install.cmd batch file... first attempts to kill the rdpCIip.exe and winDrLver.exe spreader programs. It then deletes all current versions of the target files on disk and then renames the extracted versions... Finally, the install.cmd script cleans up any remaining extracted files from update.7z...
Having thus obtained usernames and passwords for computers with MS SQL installed, the attackers used the T-SQL function xp_cmdshell
The primary module is downloaded... in an encrypted form through a simple XOR byte alteration pattern... [IO.File]::ReadAllBytes... [io.file]::WriteAllBytes... The encryption method to obfuscate SearchIndexer.exe does, however, differ... encrypted through its parent password-protected 7-Zip archive.
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
The infection starts with the main botnet file which is copied from other infected systems by means of SMB, using passwords retrieved by a modified Mimikatz module... Prometei also tries to recover administrator passwords.
Discovery
3 techniques
Discovery
The main branch also has auxiliary modules that provide the ability to... collecting information about processes running on the system... Ztasklist.exe is a tool that enumerates all the running processes.
The sample also contains another subroutine responsible for collecting compromised system information. This information includes: Processor information... Motherboard information... Operating system information... uptime... Kernel information...
Crawler.exe is a simple file system crawler which searches the local file system for filenames specified as the parameter. We have observed low activity of the module and its usage indicates the intention of the actor to find Bitcoin wallets on infected systems.
Lateral Movement
3 techniques
Lateral Movement
The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.
Collection
1 technique
Collection
Command and Control
6 techniques
Command and Control
sends information about the infected machine to the C&C server, and then downloads the cryptocurrency miner and its configuration
The collected system information is submitted via HTTP GET to the C2 server at hxxp://152.36.128[.]18/cgi-bin/p.cgi.
These threats demonstrate several techniques of the MITRE ATT&CK framework, most notably T1090 (Connection Proxy).
The final two modules, “smcard.ext” and “msdtc.exe”, deal with the bot’s communications over the Tor network, with the C2’s Tor address represented by the hardcoded URL in sqhost.exe...
sends information about the infected machine to the C&C server, and then downloads the cryptocurrency miner and its configuration
Threat actors employ a domain generation algorithm (DGA) for their command-and-control (C2) infrastructure... It uses a DGA to dynamically generate domain names to ensure uninterrupted communication with its C2 infrastructure, even if some domains are blocked.
Impact
1 technique
Impact
Other
1 technique
Other
the Prometei operators have made modifications that automate component and infrastructure updating, impair defenders’ analysis... A firewall rule named “Secure Socket Tunneling Protocol (HTTP)” is executed through the “netsh” command to add “C:\Windows\sqhost.exe” to the allowed programs list.
IOCs tracked for this family
79 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named malware family identified as one of the principal threats in attacks against Linux SSH servers.
Referenced in supporting material as a botnet exploiting Microsoft Exchange vulnerabilities.
Prometei is a modular botnet targeting Windows Server environments, commonly gaining initial access via weak/default RDP credentials. It establishes persistence as a Windows service, deploys additional modules for credential harvesting and lateral movement, performs system reconnaissance, enables C2 communications (including via TOR), and conducts cryptocurrency mining while attempting to evade defenses via firewall/Defender exclusions and layered encryption.
Russian-linked botnet known for Monero cryptocurrency mining, credential theft (including password harvesting across a network), and remote control of compromised systems; uses persistence mechanisms, encrypted payloads, and anonymization via TOR.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.