Security Experts:

Connect with us

Hi, what are you looking for?



BlackBerry Researchers Dive Into Prometheus TDS Operations

BlackBerry’s security researchers have closely analyzed the Prometheus TDS (Traffic Direction System) and discovered a correlation with a leaked Cobalt Strike SSL key pair, as well as with various malware families.

BlackBerry’s security researchers have closely analyzed the Prometheus TDS (Traffic Direction System) and discovered a correlation with a leaked Cobalt Strike SSL key pair, as well as with various malware families.

First detailed in August 2021, the Prometheus TDS, which is mainly used by Russian threat actors, facilitates various Malware-as-a-Service (MaaS) operations, as well as phishing redirections. Previously, it was associated with the distribution of malware families such as Buer Loader, Campo Loader, Hancitor, IcedID, QBot, and SocGholish.

Typically, a TDS would be part of an exploit kit (EK) redirection chain, but with the EK landscape declining heavily over the past few years, TDSes have evolved, and Prometheus emerged as a full-bodied platform.

The threat actor behind Prometheus – who uses the online handle of Ma1n – relies heavily on cracked/leaked copies of the Cobalt Strike adversary simulation platform, BlackBerry says in a report published today.

Moreover, the adversary was observed moving away from the Prometheus backdoor, which was designed for fingerprinting victims and which previously served as an integral part of the Prometheus TDS execution chain.

BlackBerry also discovered that some of the activity associated with Prometheus overlaps with the use of an SSL private key used as part of malicious Cobalt Strike installations and which was bundled within a cracked version of Cobalt Strike 4.2.

“This cracked version (and the SSL Key) appears to be so heavily relied upon by Prometheus affiliates that we speculate that this same illegitimate copy of Cobalt Strike could perhaps be proliferated by the Prometheus operators themselves,” BlackBerry says.

The researchers believe that an individual associated with Prometheus might be maintaining the cracked copy of Cobalt Strike.

Over the past couple of years, this cracked version of Cobalt Strike was used by malicious groups/malware such as StrongPity, FickerStealer, Fin7, Man1, Mirai, Qakbot, Bashlite/Gafgyt, IceID, Conti, Ryuk, BlackMatter, Cerber ransomware, and initial access broker Zebra2104.

Campaigns that likely used both Cobalt Strike and Prometheus include DarkCrystalRAT (commercial remote access Trojan), FickerStealer (Rust-based information stealer), Cerber ransomware (a major threat in 2016), REvil/Sodinokibi (a RaaS group that Russia’s intelligence service dismantled last week), Ryuk ransomware (operated by WizardSpider), BlackMatter ransomware (which announced shutdown in November 2021), and Qakbot (potent backdoor/malware dropper).

BlackBerry’s analysis of this Prometheus/Cobalt Strike-related activity also revealed the use of Team Servers, with all campaigns using the leaked build of Team Server showing “a tendency to target organizations within the public sector.”

Related: Prometheus TDS – Underground Service Distributing Several Malware Families

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...