Cybersecurity researchers have uncovered a significant resurgence of the Prometei botnet, a sophisticated malware operation targeting Linux servers for cryptocurrency mining and credential theft.<\/p>\n
This latest campaign, observed since March 2025, demonstrates the evolving nature of cryptomining malware and its persistent threat to enterprise infrastructure worldwide.<\/p>\n
The Prometei botnet represents a dual-threat malware family encompassing both Linux and Windows variants, designed primarily to hijack computational resources for Monero cryptocurrency mining while simultaneously stealing credentials from compromised systems.<\/p>\n
Palo Alto Networks analysts identified<\/a> this new wave of attacks in March 2025, noting significant improvements in the malware\u2019s stealth capabilities and operational sophistication compared to previous iterations.<\/p>\n The botnet operates through a modular architecture that enables attackers to remotely control infected systems, deploy additional payloads, and maintain persistent access to compromised networks.<\/p>\n Originally discovered in July 2020 with its Windows variant taking initial precedence, the Linux version emerged in December 2020 and has since undergone continuous development.<\/p>\n The malware employs multiple attack vectors including brute-force credential attacks, exploitation of the notorious EternalBlue vulnerability associated with WannaCry<\/a> ransomware, and manipulation of Server Message Block protocol vulnerabilities to achieve lateral movement within target networks.<\/p>\n This multi-pronged approach allows Prometei to rapidly expand its footprint once it gains initial access to an organization\u2019s systems.<\/p>\n The financial motivation behind Prometei<\/a> operations appears clear, with researchers finding no evidence linking the botnet to nation-state actors.<\/p>\n Instead, the campaign demonstrates characteristics consistent with profit-driven cybercriminal enterprises seeking to monetize compromised infrastructure through cryptocurrency mining while opportunistically harvesting valuable credentials for potential secondary exploitation or sale on underground markets.<\/p>\n The current iteration incorporates advanced evasion techniques including a domain generation algorithm for command-and-control infrastructure resilience and self-updating capabilities that enable the malware to adapt to security defenses dynamically.<\/p>\n These improvements make detection and mitigation significantly more challenging for traditional security solutions.<\/p>\n The latest Prometei variants employ sophisticated distribution and unpacking mechanisms that significantly complicate analysis efforts.<\/p>\n The malware distributes itself through HTTP GET requests to a specific server located at Despite the misleading The malware employs Ultimate Packer for eXecutables (UPX) compression to reduce file size and complicate static analysis procedures.<\/p>\n However, the implementation includes a critical modification that prevents standard UPX decompression tools from functioning correctly.<\/p>\n The developers append a custom configuration JSON trailer to the packed executable, disrupting the UPX tool\u2019s ability to locate essential metadata including the PackHeader and overlay_offset trailer necessary for successful decompression.<\/p>\n This configuration trailer contains essential operational parameters that vary between malware versions. While version two supported basic fields such as These enhancements enable more sophisticated command-and-control communication<\/a> and hierarchical botnet management capabilities.<\/p>\n Once successfully deployed, Prometei implements comprehensive system reconnaissance by collecting processor information from This intelligence gathering enables the malware to optimize its mining operations based on available hardware resources while providing attackers with detailed infrastructure mapping for potential lateral movement activities.<\/p>\n The post Prometei Botnet Attacking Linux Servers to Mine Cryptocurrency<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nTechnical Infection Mechanism and Distribution<\/strong><\/h2>\n
hxxp[:\/\/]103.41.204[.]104\/k.php?a=x86_64<\/code>, with variations allowing dynamic ParentID assignment through the parameter hxxp[:\/\/]103.41.204[.]104\/k.php?a=x86_64,<\/code>.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj2hcPFtBumxo5TWWRzLigzGQHMM7Yz0kUpG-T2xYiLx5Ytis88NSGUR1eMIel75krqJ0ys_PnUENqtukGGnI-X_aikn2skbY_DkTYnFQONGezwVbvqkXJX7p5_5W7ycv8bQOg5U7nAIR46zE_efX-oCEzLz20pmAskktjewy_JfGqfXSwzKDChlPYB7EA\/s16000\/Interpretation%2520of%2520the%2520UPX%2520PackHeader%2520and%2520overlay_offset%2520trailer%2520for%2520the%2520sample%2520%28Source%2520-%2520Palo%2520Alto%2520Networks%29.webp?ssl=1\")
.php<\/code> filename, the payload consists of a 64-bit ELF executable designed specifically for Linux systems, representing a deliberate obfuscation tactic.<\/p>\nconfig<\/code>, id<\/code>, and enckey<\/code>, newer versions three and four incorporate additional parameters including ParentId<\/code>, ParentHostname<\/code>, ParentIp<\/code>, and ip<\/code> fields.<\/p>\n\/proc\/cpuinfo<\/code>, motherboard details through dmidecode --type baseboard<\/code> commands, operating system specifications from \/etc\/os-release<\/code> or \/etc\/redhat-release<\/code>, system uptime data, and kernel information via uname -a<\/code> commands.<\/p>\nAre you from SOC\/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. -\u00a0Request 14-day free trial<\/a><\/code><\/strong><\/p>\n