An updated variant of the Prometei malware is making the rounds, and activity associated with the botnet has surged over the past months, Palo Alto Networks reports.
A modular botnet initially discovered in July 2020, Prometei targets both Windows and Linux systems for infection, primarily for cryptocurrency mining and credential exfiltration.
The most recent version of the malware, however, includes a backdoor for additional malicious activities, integrates self-updating features, and relies on a domain generation algorithm (DGA) for command-and-control (C&C) server connectivity.
Prometei’s various modules allow it to brute-force administrator passwords, exploit vulnerabilities, move laterally, steal victims’ data, establish C&C communication, and mine for cryptocurrency (particularly Monero).
A February 2025 analysis of a recent malware sample revealed that it was achieving persistence by creating a service and a scheduled cron job, lacked a hardcoded mining pool, and could process additional commands received from its operators.
The latest iteration of the threat, observed in March 2025, is packed using Ultimate Packer for eXecutables (UPX), which makes it smaller, Palo Alto Networks says.
Targeting Linux systems, it decompresses itself in memory during runtime and executes the final payload, so that the botnet can start its operations.
The malware harvests broad system information, including processor and motherboard information, OS details, system uptime data, and Linux kernel information. The data is sent to the C&C server via an HTTP GET request.
The new Prometei version also shows a focus on evading detection, while its emergence and spike in activity demonstrate that it is under active development, Palo Alto Networks says.
“While its primary goal is cryptocurrency (Monero) mining, Prometei also possesses secondary capabilities, such as stealing credentials and deploying additional malware payloads. We assess that Prometei’s operations appear driven by financial gain, and there is no evidence of ties to nation-state actors,” the cybersecurity firm notes.
Related: Chinese APT Hacking Routers to Build Espionage Infrastructure
Related: Recent Langflow Vulnerability Exploited by Flodrix Botnet
Related: Recently Disrupted DanaBot Leaked Valuable Data for 3 Years
