Prometei Botnet Targets Linux Servers for Cryptocurrency Mining Operations

Unit 42 researchers from Palo Alto Networks have identified a renewed wave of attacks by the Prometei botnet, specifically targeting Linux servers, as of March 2025.

Initially discovered in July 2020 with a focus on Windows systems, Prometei has since evolved, with its Linux variant gaining prominence since December 2020.

Resurgence of a Persistent Threat

The latest iterations, versions three and four, showcase advanced capabilities, including a backdoor for remote control, domain generation algorithms (DGA) for resilient command-and-control (C2) infrastructure, and self-updating mechanisms to evade detection.

This resurgence underscores Prometei’s persistent threat to organizations worldwide, with its primary objective being cryptocurrency mining, particularly Monero, alongside secondary goals like credential theft and additional payload deployment.

Prometei’s architecture is notably modular, allowing independent components to handle specific malicious tasks such as brute-forcing credentials, exploiting vulnerabilities like EternalBlue and Server Message Block (SMB) flaws, mining cryptocurrency, stealing data, and maintaining C2 communication.

Distributed via HTTP GET requests from servers like hxxp://103.41.204[.]104/k.php, the malware operates on a 64-bit Executable and Linkable Format (ELF) tailored for Linux systems.

Recent versions employ Ultimate Packer for eXecutables (UPX) compression to reduce file size and complicate static analysis, further disguised by naming conventions like “k.php” to mask its true nature.

Technical Sophistication

The malware unpacks in memory during runtime to execute its payload, while a custom JSON configuration trailer containing fields like ParentId and encryption keys adds another layer of complexity, requiring specialized unpacking for analysis.

Prometei also collects extensive system information from compromised hosts, including processor details, OS data, and uptime statistics, which are relayed to C2 servers such as hxxp://152.36.128[.]18/cgi-bin/p.cgi.

This adaptability, combined with DGA and self-updating features, ensures persistent communication with attackers and continuous evolution against security countermeasures, making it a formidable adversary.

According to the Report, Palo Alto Networks offers robust protection through solutions like Advanced WildFire, Cortex XDR, and Advanced Threat Prevention, which leverage machine learning to detect and mitigate these threats in real-time, while their Unit 42 Incident Response team stands ready to assist compromised entities.

This latest wave of Prometei activity, tracked from March to April 2025, highlights the need for heightened vigilance and proactive defense strategies to combat such evolving threats in the cybersecurity landscape.

Indicators of Compromise (IoCs)

The following table summarizes key IoCs associated with the Prometei botnet for reference and detection purposes:

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates