a hacker with bitcoin logo and linux server and prometei botnet

Cybersecurity researchers have uncovered a significant resurgence of the Prometei botnet, a sophisticated malware operation that targets Linux servers for cryptocurrency mining and credential theft. This latest campaign, observed since March 2025, highlights the evolving nature of cryptomining malware and its persistent threat to enterprise infrastructure worldwide.

The Prometei botnet represents a dual-threat malware family, encompassing both Linux and Windows variants, designed primarily to hijack computational resources for Monero cryptocurrency mining while simultaneously stealing credentials from compromised systems. Analysts at Palo Alto Networks identified this new wave of attacks in March 2025, noting significant improvements in the malware’s stealth capabilities and operational sophistication compared to previous iterations.

a hacker with bitcoin logo and linux server and prometei botneta hacker with bitcoin logo and linux server and prometei botnet

Modular Architecture and Attack Vectors
The botnet operates through a modular architecture that enables attackers to remotely control infected systems, deploy additional payloads, and maintain persistent access to compromised networks. Originally discovered in July 2020, with its Windows variant taking precedence, the Linux version emerged in December 2020 and has since undergone continuous development.

Prometei employs multiple attack vectors, including brute-force credential attacks, exploitation of the notorious EternalBlue vulnerability associated with WannaCry ransomware, and manipulation of Server Message Block protocol vulnerabilities to achieve lateral movement within target networks. This multi-pronged approach allows Prometei to rapidly expand its footprint once it gains initial access to an organization’s systems.

a laptop screen have bitcoin logo and behind scammer on targeta laptop screen have bitcoin logo and behind scammer on target

Financial Motivation and Cybercriminal Enterprises
The Prometei botnet operates with clear financial motives, showing no links to nation-state actors. Instead, it reflects the characteristics of profit-driven cybercriminal enterprises that aim to monetize compromised infrastructure through cryptocurrency mining and the opportunistic theft of valuable credentials for resale on underground markets. The latest version of the botnet employs advanced evasion techniques, such as a domain generation algorithm for resilient command-and-control infrastructure and self-updating capabilities, making it harder for traditional security solutions to detect and mitigate.

 

Technical Infection Mechanism and Distribution
Recent Prometei variants utilize sophisticated distribution and unpacking methods that complicate analysis. The malware spreads via HTTP GET requests to a specific server at hxxp[://]103.41.204[.]104/k.php?a=x86_64, with variations for dynamic ParentID assignment. Despite the misleading .php filename, the payload is a 64-bit ELF executable tailored for Linux systems, employing Ultimate Packer for eXecutables (UPX) compression to obscure its presence.

A custom JSON configuration trailer disrupts standard UPX decompression tools, containing operational parameters that enhance command-and-control communication and botnet management. Once deployed, Prometei performs extensive system reconnaissance, gathering processor information, motherboard details, operating system specifications, uptime data, and kernel information. This intelligence allows the malware to optimize mining operations based on available resources while mapping the infrastructure for potential lateral movement.