Prometei Botnet Evolves: Linux Variant Returns With Stealthier Payloads and Monero Mining Focus
Ddos 
In March 2025, researchers at Palo Alto Networks’ Unit 42 uncovered a resurgence of the Prometei botnet, a sophisticated and modular malware system first identified in 2020. While historically active on Windows systems, the latest wave reintroduces a stealthier, more capable Linux variant—designed for Monero cryptocurrency mining, credential theft, and silent lateral movement.
Prometei refers to both a botnet and its associated malware family. Active since July 2020, the botnet has evolved from a straightforward Monero miner to a multi-stage, cross-platform threat featuring advanced persistence, exploitation, and reconnaissance capabilities.
According to Unit 42:
“This malware family… allows attackers to remotely control compromised systems for cryptocurrency mining (particularly Monero) and credential theft.
Prometei’s architecture is modular, with distinct components responsible for specific tasks such as:
- Brute-forcing administrator credentials
- Exploiting vulnerabilities (e.g., SMB protocol flaws, EternalBlue)
- Mining Monero
- Stealing system and user credentials
- Communicating with its C2 infrastructure via a domain generation algorithm (DGA)
Its self-updating features ensure it can evade detection and adapt to defensive changes rapidly:
“Prometei employs a DGA and self-updating features to create resilient and adaptive malware.”
The latest samples, versions 3 and 4, differ significantly from version 2 (last seen in 2021):
- Distributed as UPX-packed ELF executables disguised as k.php
- Use a custom JSON trailer appended to the binary for configuration
- Employ dynamic C2 assignment via ParentID, ParentHostname, and ParentIp values
Interestingly, the malware cannot be unpacked with standard UPX tools due to deliberate obfuscation:
“The presence of a custom configuration JSON trailer appended to the malware disrupts this process… causing the UPX tool to incorrectly determine that the file is not a valid UPX archive.”
The botnet collects detailed system information from infected Linux machines using commands such as:
- /proc/cpuinfo (CPU)
- dmidecode –type baseboard (motherboard)
- uname -a (kernel)
- uptime (system longevity)
All of this is exfiltrated via HTTP GET to the C2 server at:
Prometei samples are distributed via:
And the infrastructure is hosted by Infinys Network (ASN 58397), based in Jakarta, Indonesia.
Despite the k.php file extension, the payload is not a PHP script—another layer of deception.
“Despite the file being named k.php, it is not a PHP script, likely a tactic to further disguise its true nature.”
Unit 42’s researchers highlight the complexity of analyzing recent Prometei samples. Before analysis, the malware must be:
- Stripped of the JSON trailer
- Unpacked using custom methods
- Re-attached with its original trailer for execution testing
This process highlights the malware’s growing sophistication, combining traditional compression with bespoke anti-analysis techniques.
While Prometei demonstrates APT-like sophistication, Unit 42 finds no links to nation-state operations. The botnet remains financially motivated, focused primarily on Monero mining and possibly selling harvested credentials.
“We assess that Prometei’s operations appear driven by financial gain, and there is no evidence of ties to nation-state actors.”
Donate