Prometei is one of the most persistent and sophisticated botnet threats in circulation today. First identified in 2020—and active since at least 2016—this modular malware continues to evolve rapidly, targeting both Windows and Linux systems across the globe. Originally designed for cryptocurrency mining, Prometei has expanded its capabilities to include credential theft, lateral movement, command execution, and stealthy persistence, making it an adaptable and resilient threat for enterprise environments.
In this episode, we examine the latest developments in Prometei’s operations. Recent updates to the malware include a fully integrated backdoor, self-updating features, dynamic domain generation for command-and-control, and a wide range of evasion techniques to bypass detection. The botnet’s architecture allows operators to deploy new modules at will, giving Prometei flexibility typically seen in nation-state campaigns, though researchers currently attribute its activity to a financially motivated Russian cybercriminal group.
Prometei’s modules enable it to:
- Mine Monero cryptocurrency using compromised CPU and GPU resources
- Steal user credentials from memory and the registry
- Move laterally using exploits like EternalBlue, brute-force attacks, and SMB-based credential reuse
- Maintain persistence through cron jobs, custom services, and scheduled tasks
- Communicate over Tor and I2P networks and use domain generation algorithms for resilient C2 communication
- Deploy web shells and covert Apache services on compromised hosts
- Evade static and dynamic analysis through packing and obfuscation techniques
With more than 10,000 infections observed worldwide since late 2022—and an expanding geographic footprint—Prometei demonstrates how financially driven threat actors are leveraging advanced techniques to maximize profits while evading security defenses. The malware’s continual adaptation makes detection and mitigation a challenge, even for well-defended networks.
This episode offers a deep dive into Prometei’s architecture, capabilities, and evolution. It also covers detection strategies, effective mitigation techniques, and how organizations can strengthen defenses against similar modular threats. For cybersecurity practitioners, threat hunters, and SOC teams, understanding Prometei is essential to improving resilience in today’s threat landscape.
