OHIIHOMay 6

In Feb 2026, @esentire flagged Prometei on Windows.

In April our honeypots caught the same campaign on Linux — same C2, same Tor onion. And the Linux ELF pivots BACK to Windows via WinRM SOAP, Redis SLAVEOF, SMBv1/MS17-010-era material.

A 16-char constant lives in BOTH rdpcIip.exe (Win) and zsvc (Linux). Shared toolkit lineage, two OSes.

📑 1/2 the Linux side:
https://research.ohiiho.com/reports/2026-05-prometei-asia-c2-linux-side/

📑 2/2 the Windows arsenal and the back-pivot:
https://research.ohiiho.com/reports/2026-05-prometei-cross-platform-pivot/

#Prometei #ThreatIntel #DFIR

Hackread.comFeb 8

📢⚠️ A construction firm in the UK had its Windows Server hijacked by the #Prometei botnet, mining crypto and stealing passwords after easy RDP access was guessed, hiding under TOR and blocking rivals inside the system 👾

Read: https://hackread.com/uk-construction-firm-prometei-botnet-windows-server/

#CyberSecurity #Malware #Windows #CyberAttack #Russia

UK Construction Firm Hit by Prometei Botnet Hiding in Windows Server

Cybersecurity firm eSentire's TRU break down the Prometei botnet attack on a UK firm, detailing its TOR usage, password theft and decoy tactics.

Hackread - Cybersecurity News, Data Breaches, AI and More
securityaffairsJun 25, 2025
#Prometei #botnet activity has surged since March 2025
https://securityaffairs.com/179303/cyber-crime/prometei-botnet-activity-has-surged-since-march-2025.html
#securityaffairs #hacking #malware
Prometei botnet activity has surged since March 2025

Prometei botnet activity has surged since March 2025, with a new malware variant spreading rapidly, Palo Alto Networks reports.

Security Affairs
The Threat CodexJun 21, 2025
Resurgence of the Prometei Botnet
#Prometei #UltimatePackerForEXecutables
https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/
Resurgence of the Prometei Botnet

We identified a resurgence of the Prometei botnet's Linux variant. Our analysis tracks the activity of this cryptominer and its new features. We identified a resurgence of the Prometei botnet's Linux variant. Our analysis tracks the activity of this cryptominer and its new features.

Unit 42
cryptaxFeb 18, 2025

At last! I finished reversing the communication protocol of Linux/Prometei, with AI's assistance.

Spoiler: hmm, well, in some cases, the AI didn't help ;P

but in the end, it was worth it.

https://cryptax.medium.com/communication-with-a-prometei-c2-part-three-8f9c76ff9ac0

#r2ai #radare2 #linux #botnet #prometei

Communication with a Prometei C2 — Part Three - @cryptax - Medium

I am analyzing a Linux Prometei sample of February 2025. In Part One, we found out this sample was packed. In Part Two, we analyzed the unpacked binary, got an overall impression of binary and…

Medium
Scripter Mar 13, 2023
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide
https://thehackernews.com/2023/03/new-version-of-prometei-botnet-infects.html #Cybercrime #Botnet #Prometei
New Version of Prometei Botnet Infects Over 10,000 Systems Worldwide

An updated version of the botnet malware Prometei has infected over 10,000 systems globally since Nov 2022.

The Hacker News
securityaffairsMar 11, 2023
#Prometei #botnet evolves and infected +10,000 systems since November 2022
https://securityaffairs.com/143343/hacking/prometei-botnet-v3.html
#securityaffairs #hacking #malware
Prometei botnet evolves and infected +10,000 systems since November 2022

A new version of the Prometei botnet has infected more than 10,000 systems worldwide since November 2022, experts warn. Cisco Talos researchers reported that the Prometei botnet has infected more than 10,000 systems worldwide since November 2022. The crypto-mining botnet has a modular structure and employs multiple techniques to infect systems and evade detection. The Prometei botnet […]

Security Affairs
Teddy / Domingo (🇨🇵/🇬🇧)Jul 25, 2020
Cyptomining #Botnet Exploits Windows #SMB #Vulnerabilities. A previously undetected botnet called #Prometei is targeting vulnerable Microsoft #Windows #devices by brute-forcing #SMB #vulnerabilities to mine #monero cryptocurrency, according to Cisco Talos.
https://www.inforisktoday.com/cyptomining-botnet-exploits-windows-smb-vulnerabilities-a-14696?&web_view=true
Cyptomining Botnet Exploits Windows SMB Vulnerabilities

A previously undetected botnet called "Prometei" is targeting vulnerable Microsoft Windows devices by brute-forcing SMB vulnerabilities to mine monero

SecurityLabJul 23, 2020
Ботнет Prometei использует SMB для майнинга криптовалюты #SMB, #ботнет, #Prometei https://www.securitylab.ru/news/510485.php https://twitter.com/SecurityLabnews/status/1286291052513628160/photo/1
Ботнет Prometei использует SMB для майнинга криптовалюты

Prometei использует модульную систему и разнообразные методы для компрометации систем, сокрытия своего присутствия и майнинга.