A significant resurgence of the sophisticated Prometei botnet has been uncovered by many cybersecurity research analysts. This latest malware campaign, which has been observed since March 2025, is actively targeting Linux servers worldwide. The botnet represents a dangerous dual-threat malware family that encompasses both Linux and also Windows system variants. Its primary design is to hijack computational resources for Monero cryptocurrency mining while also stealing system credentials.
The Prometei botnet employs multiple different attack vectors, including brute-force credential attacks to gain initial access.
It is also known for exploiting the notorious EternalBlue vulnerability, which is associated with the WannaCry ransomware. The malware manipulates Server Message Block protocol vulnerabilities to achieve effective lateral movement within many targeted networks. This financially motivated campaign shows characteristics consistent with profit-driven cybercriminal enterprises seeking to monetize compromised company infrastructure.
This current malware iteration incorporates advanced evasion techniques, including a unique domain generation algorithm for its C2 infrastructure. The botnet also has self-updating capabilities that enable the malware to dynamically adapt to many security defenses. The latest Prometei variants employ sophisticated distribution and unpacking mechanisms which significantly complicate most analysis efforts.
Despite its misleading filename, the payload consists of a 64-bit ELF executable designed specifically for Linux systems.
The malware also employs Ultimate Packer for eXecutables, which is also known as UPX, to reduce its file size. The developers, however, have appended a custom configuration JSON trailer to the specially packed executable file. This critical modification prevents standard UPX decompression tools from functioning as they are normally expected to. This configuration trailer contains essential operational parameters that vary between the different released malware versions. Once deployed, Prometei implements comprehensive system reconnaissance to optimize its resource-intensive cryptocurrency mining operations.
