Security Experts:

Connect with us

Hi, what are you looking for?



Prometheus TDS – Underground Service Distributing Several Malware Families

Group-IB security researchers have shared a technical analysis of Prometheus TDS, an underground service that over the past several months has been used for the distribution of various malware families, such as Buer Loader, Campo Loader,

Group-IB security researchers have shared a technical analysis of Prometheus TDS, an underground service that over the past several months has been used for the distribution of various malware families, such as Buer Loader, Campo Loader, Hancitor, IcedID, QBot, and SocGholish.

Prometheus TDS (Traffic Direction System) is a malware-as-a-service (MaaS) solution that has been promoted on underground forums since August 2020, being described as a platform that can send emails, work with traffic, and help with social engineering.

Also, the TDS can be used for web shell validation and redirect creation and management, can operate via proxy, supports Google accounts, and can validate users against blacklists. The service is offered at $250 per month, Group-IB’s researchers discovered.

In addition to the distribution of malicious files, the service is being used to redirect victims to phishing and malicious sites. The first campaign leveraging Prometheus TDS was discovered in the spring of 2021, with additional active campaigns observed since, for a total of more than 3,000 victims identified to date.

The service consists of an administrative panel that allows attackers to configure various parameters for their malicious campaigns, including the downloading of malicious files, and setting restrictions for geolocation, browsers, and operating systems.

Third-party infected websites are used as the middleman between the administrative panel and the victim. On these websites, Group-IB’s security researchers discovered a PHP file named Prometheus.Backdoor that was designed to collect and transmit data about the user.

Based on the analysis of this data, the panel decides whether to serve a payload to the victim or redirect them to a specified URL.

The service has been used to send malicious emails to more than 3,000 addresses to date. The most active campaign targeted individuals in Belgium (more than 2,000 emails), while the second largest attack targeted US entities (more than 260 emails targeting government agencies and organizations in sectors such as finance, insurance, healthcare, energy and mining, retail, IT, and cybersecurity).

A typical attack involving Prometheus TDS starts with a malicious email that either carries a HTML file to redirect the victim to a compromised site, a link to a web shell that performs a redirection, or a link to a Google Doc that contains a URL designed to redirect the user to a malicious site.

Once the victim follows the link, they are redirected to the Prometheus.Backdoor URL where their data (including IP address, User-Agent, language, time zone, and referrer header) is collected and sent to the Prometheus TDS admin panel, which decides how to serve the next stage.

On some infrastructure used to host Prometheus TDS, the researchers discovered an unknown panel that they eventually identified as the BRChecker service, an email address bruterchecker that first appeared on underground forums in 2018. As of May 2021, the service is being offered at $490.

Related: Hackers Compromise Mongolian Certificate Authority to Spread Malware

Related: Collaboration Platforms Increasingly Abused for Malware Distribution, Data Exfiltration

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...