Shake Network Technology NewsClick the right to follow for the latest technology news!
Cybersecurity researchers have observed a significant increase in the activity of the complex malware Prometei botnet, which targets Linux servers for cryptocurrency mining and credential theft. This latest wave of attacks, observed since March 2025, showcases the evolving trends of cryptocurrency mining malware and its ongoing threat to global enterprise infrastructure.
Part01
Dual Threat of the Botnet
The Prometei botnet is a dual-threat malware family that includes both Linux and Windows variants, primarily aimed at hijacking computing resources for Monero mining while stealing credentials from the compromised systems. Analysts from Palo Alto Networks discovered this new wave of attacks in March 2025, noting significant improvements in stealth capabilities and operational complexity compared to previous versions.
This botnet operates on a modular architecture, allowing attackers to remotely control infected systems, deploy additional payloads, and maintain persistent access to the compromised networks. The Windows variant was first discovered in July 2020, followed by the Linux version in December 2020, which has continued to evolve to this day.
Part02
Multi-Vector Attack Methods
The malware employs multiple attack vectors, including brute-force credential attacks, exploitation of the infamous EternalBlue vulnerability associated with WannaCry ransomware, and manipulation of the Server Message Block (SMB) protocol vulnerabilities to achieve lateral movement within the target network. This multi-faceted approach allows Prometei to rapidly expand its impact after gaining initial access to organizational systems.
Researchers found that the economic motivation behind Prometei’s operations is quite evident, with no evidence linking the botnet to state actors. Instead, these activities exhibit characteristics typical of profit-driven cybercriminal enterprises, monetizing the compromised infrastructure through cryptocurrency mining while opportunistically collecting valuable credentials for potential reuse or sale on underground markets.
Part03
Advanced Evasion Techniques
The current version employs advanced evasion techniques, including a domain generation algorithm (DGA) to enhance the resilience of its command and control infrastructure, as well as self-updating capabilities that allow the malware to dynamically adapt to security defenses. These improvements make detection and mitigation efforts by traditional security solutions increasingly challenging.
Part04
Technical Infection Mechanisms and Propagation
The latest Prometei variant employs complex propagation and unpacking mechanisms, significantly increasing the difficulty of analysis. The malware spreads by sending HTTP GET requests to a specific server hxxp[://]103.41.204[.]104/k.php?a=x86_64 and achieves dynamic ParentID allocation through the parameter hxxp[://]103.41.204[.]104/k.php?a=x86_64.
Despite the misleading .php extension in the filename, the payload is actually a 64-bit ELF executable specifically targeting Linux systems, which is a deliberate obfuscation strategy. The malware uses UPX (Ultimate Packer for eXecutables) compression to reduce file size and increase the difficulty of static analysis. However, this implementation includes a critical modification that prevents standard UPX unpacking tools from functioning properly.
The developer attached a custom configuration JSON tail to the packed executable, disrupting the UPX tool’s ability to locate necessary metadata (including PackHeader and overlay_offset tails) required for successful unpacking. This configuration tail contains essential operational parameters that vary between different malware versions. While version two only supports basic fields such as config, id, and enckey, newer versions three and four add parameters like ParentId, ParentHostname, ParentIp, and ip, enabling more complex command and control communication and hierarchical botnet management capabilities.
Once successfully deployed, Prometei conducts comprehensive system reconnaissance by collecting processor information from /proc/cpuinfo, obtaining motherboard details via the command dmidecode –type baseboard, retrieving operating system specifications from /etc/os-release or /etc/redhat-release, system uptime data, and kernel information through the uname -a command. This intelligence gathering allows the malware to optimize its mining operations based on available hardware resources while providing attackers with a detailed infrastructure mapping for potential lateral movement activities.
Click to Share
Click to Save
Click to Like
Click to View