Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Prometei botnet activity has surged since March 2025

Prometei botnet activity has surged since March 2025, with a new malware variant spreading rapidly, Palo Alto Networks reports. Palo Alto Networks warns of a spike in Prometei botnet activity since March 2025, the researchers observed a new variant spreading rapidly. Since March 2025, Prometei botnet is targeting Linux systems for Monero mining and credential […]

Prometei botnet

Prometei botnet activity has surged since March 2025, with a new malware variant spreading rapidly, Palo Alto Networks reports.

Palo Alto Networks warns of a spike in Prometei botnet activity since March 2025, the researchers observed a new variant spreading rapidly.

Since March 2025, Prometei botnet is targeting Linux systems for Monero mining and credential theft. The bot is under active development and uses a modular architecture, domain generation algorithms, and self-updating features to evade detection.

“This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the resurgence of the Linux variant.” reads the report published by Palo Alto Networks. “Prometei is under active development, incorporating new modules and methods into its capabilities. The latest Prometei versions feature a backdoor that enables a variety of malicious activities. “

The malware was first discovered in 2020, it exploits vulnerabilities like EternalBlue and SMB flaws. Prometei spreads via brute-force and deploys multiple payloads, showing strong persistence but no state ties.

Prometei primarily mines Monero but also steals credentials and deploys other malware. Its activity appears financially motivated, with no nation-state ties.

The most recent variant of the bot is distributed via an HTTP GET request, delivering a UPX-packed 64-bit Linux ELF file disguised as a .php script. It uses dynamic ParentID values and randomized configurations. The hosting server, based in Indonesia, runs Apache on Windows. The 2025 versions support UPX compression to obfuscate the malware, which decompresses at runtime to execute its payload.

Prometei’s malware is packed with Ultimate Packer for eXecutables (UPX), but standard unpacking fails due to an appended JSON config trailer. To analyze it statically, analysts must strip this trailer, unpack the sample, then reattach the JSON. This config holds fields like ParentId, ParentIp, and encryption keys.

“The sample contains a subroutine to search for and parse the configuration JSON trailer.” continues the report. “The sample also contains another subroutine responsible for collecting compromised system information. This information includes:

  • Processor information (obtained from /proc/cpuinfo)
  • Motherboard information (obtained using the dmidecode –type baseboard command)
  • Operating system information (obtained from /etc/os-release or /etc/redhat-release)
  • Information about how long the system has been running (obtained using the uptime command)
  • Kernel information (obtained using the uname -a command)”

The Prometei botnet is resurging with evolved evasion techniques. It can be detected using a YARA rule targeting UPX and its config JSON trailer, but defenders must stay vigilant as it continues to adapt.

The report includes Indicators of Compromise (IoCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)