Resurgence of the Prometei Botnet

Executive Summary

In March 2025, Unit 42 researchers identified a wave of Prometei attacks. Prometei refers to both the botnet and the malware family used to operate it.

This malware family, which includes both Linux and Windows variants, allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft. This article focuses on the resurgence of the Linux variant.

Prometei is under active development, incorporating new modules and methods into its capabilities. The latest Prometei versions feature a backdoor that enables a variety of malicious activities. Threat actors employ a domain generation algorithm (DGA) for their command-and-control (C2) infrastructure and integrate self-updating features for stealth and evasion.

This article presents a static analysis of Prometei malware versions three and four, highlighting key functional differences from version two.

Palo Alto Networks customers are better protected from the Prometei botnet through our Network Security solutions. These include Advanced WildFire, Advanced Threat Prevention, Advanced URL Filtering and Advanced DNS Security. Coverage can also be provided through our Cortex line of products including Cortex XDR and Cortex XSIAM.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

History of the Prometei Botnet

Cybersecurity researchers first identified the Prometei botnet in July 2020, with its Windows version being the primary focus at the time. The Linux version of the botnet was subsequently identified in December 2020. The latest variants of the Prometei Linux botnet, first observed in March 2025, will be discussed in greater detail in this article.

Prometei has a history of exploiting various vulnerabilities. It uses techniques such as brute-forcing credentials, leveraging EternalBlue (the infamous Windows exploit linked to the WannaCry ransomware) and exploiting Server Message Block (SMB) protocol flaws to spread laterally within networks.

Prometei employs a DGA and self-updating features to create resilient and adaptive malware. It uses a DGA to dynamically generate domain names to ensure uninterrupted communication with its C2 infrastructure, even if some domains are blocked. Self-updating capabilities allow the malware to evolve, adapt to security defenses and deliver new payloads, while maintaining stealth and evading detection. Together, these strategies make the malware more persistent and harder to combat.

While its primary goal is cryptocurrency (Monero) mining, Prometei also possesses secondary capabilities, such as stealing credentials and deploying additional malware payloads. We assess that Prometei's operations appear driven by financial gain, and there is no evidence of ties to nation-state actors.

Prometei's architecture is modular, meaning it is built from multiple independent components, each responsible for a specific function. These modules work together to accomplish the botnet's objectives. For example, it has modules for the following activities:

• Brute-forcing administrator credentials
• Exploiting vulnerabilities
• Mining cryptocurrency
• Stealing data
• Communicating with C2 servers

This modular design makes Prometei highly adaptable, as individual components can be updated or replaced without affecting the overall botnet functionality. It operates in multiple stages in the order listed below, which typically include the following:

• Initial Exploitation
• Payload Delivery
• Lateral Movement
• Cryptocurrency Mining
• Data Stealing
• C2 Communication

New Activity Timeline

We have been tracking this new wave of Prometei activity since March 2025. Figure 1 presents a timeline depicting the sample count of the Prometei botnet from late March-late April 2025.

Technical Analysis

The Prometei botnet malware is distributed via an HTTP GET request to hxxp[://]103.41.204[.]104/k.php?a=x86_64.

A slight variation, hxxp[://]103.41.204[.]104/k.php?a=x86_64,<PARENT_ID> returns the malware sample with an extra ParentID field value populated with the <PARENT_ID> value. This allows the attacker to dynamically assign a ParentID value to the malware sample. Here, <PARENT_ID> is used as a placeholder.

This URL is not restricted by geographic location; it serves the same malware sample file, with a randomized configuration each time. The HTTP response headers indicate that this server is an Apache PHP server running on a Windows platform. The server IPv4 address belongs to the network operated by Infinys Network (Autonomous System Number (ASN): 58397), based in Jakarta, Indonesia.

Later versions of this malware released in March 2025 are packed using Ultimate Packer for eXecutables (UPX). Version two, which was released in 2021, did not use this technique.

UPX is used to compress the executable, making it smaller and potentially more difficult to analyze. The malware itself is a 64-bit executable and linkable format (ELF) file, indicating it's designed to run on Linux-based systems.

Despite the file being named k.php, it is not a PHP script, likely a tactic to further disguise its true nature. In version two, malware authors named the corresponding file uplugplay.

The UPX-packed executable infects compromised systems by decompressing itself in memory during runtime. After decompression, the actual malicious payload is executed, allowing the botnet to begin its operations.

Unpacking Prometei for Static Analysis

Static malware analysis is a process of examining a malware sample without running or executing the file. In this case, because of the way this file is structured, we need to perform some extra operations to unpack this file for analysis. Attempting to use the standard UPX tool's decompression command-line option (i.e., upx -d) to restore the original file for further analysis will not successfully unpack it.

The UPX tool will fail because it relies on specific metadata, including a valid PackHeader and overlay_offset trailer, to identify and decompress UPX-packed files as shown in Figure 2. The presence of a custom configuration JSON trailer appended to the malware disrupts this process, causing the UPX tool to incorrectly determine that the file is not a valid UPX archive.

Interpretation (note that bytes are formatted in little-endian order):

• 55 50 58 21: magic constant
• 0E: version
• 16: format
• 08: method
• 07: level
• B8 8F 14 BF: uncompressed Adler-32 checksum
• 4B 74 01 2A: compressed Adler-32 checksum
• F0 08 13 00: uncompressed length
• C4 A6 06 00: compressed length
• F0 08 13 00: original file size
• 49: filter id
• 22: filter_cto
• 00: filter_misc / n_mru
• 4B: header checksum
• F4 00 00 00: overlay_offset

The configuration JSON trailer must be stripped before using the UPX tool to unpack the sample file for analysis. After unpacking, the configuration JSON must be re-attached to the sample file for the malware to use those values during execution.

The sample contains a subroutine to search for and parse the configuration JSON trailer. Table 1 below compares the supported fields in versions two, three and four.

Table 3. Comparison of supported fields in the configuration JSON trailer between version two, and versions three and four.

The sample also contains another subroutine responsible for collecting compromised system information. This information includes:

• Processor information (obtained from /proc/cpuinfo)
• Motherboard information (obtained using the dmidecode --type baseboard command)
• Operating system information (obtained from /etc/os-release or /etc/redhat-release)
• Information about how long the system has been running (obtained using the uptime command)
• Kernel information (obtained using the uname -a command)

The collected system information is submitted via HTTP GET to the C2 server at hxxp://152.36.128[.]18/cgi-bin/p.cgi.

For a more comprehensive understanding of the Prometei botnet and its evolution you can read the 2021 article IoT Malware Journals: Prometei (Linux). This more recent article, Communication with a Prometei C2, provides a detailed analysis of its newer capabilities.

Conclusion

This research has detailed the resurgence of the Prometei botnet, highlighting its continued evolution and the techniques it employs to evade detection. The new version of the Prometei botnet malware family can be detected with a YARA rule that identifies UPX and the configuration JSON trailer, a detection method that is likely to remain effective. However, as Prometei continues to evolve, security teams must remain vigilant and proactively adapt their defenses.

Palo Alto Networks Protection and Mitigation

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

• The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.
• Advanced Threat Prevention has an inbuilt machine learning-based detection that can detect exploits in real time.
• Cortex XDR and XSIAM are designed to prevent the execution of known malicious malware, and also prevent the execution of unknown malware using Behavioral Threat Protection and machine learning based on the Local Analysis module.
• Advanced URL Filtering and Advanced DNS Security identify known domains and URLs associated with this activity as malicious.

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 00080005045107

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Malware samples

URLs

Additional Resources

• Reversing a Prometei botnet binary with r2 and AI - Axelle Apvrille, Fortinet
• IoT Malware Journals: Prometei (Linux) - CUJO AI
• Prometei botnet and its quest for Monero - Cisco Talos