Skip to content
July 4, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Watchtower
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Vulnerability Report
Light/Dark Button
  • Home
  • News
  • Malware
  • Prowli malware infected 40,000 Web servers, modems, & IoT devices
  • Malware

Prowli malware infected 40,000 Web servers, modems, & IoT devices

Do Son June 8, 2018 3 minutes read
Prowli malware
Add as a preferred
source on Google

The security team of GuardiCore, an Israeli cybersecurity company, discovered that cybercriminals have managed to create a large Prowli botnet with more than 40,000 infected Web servers, modems and other Internet of Things (IoT) devices. The Prowli botnet’s manipulator exploits vulnerabilities and brute-force attacks to attack and control devices. Affected by more than 9,000 companies, these companies are mainly located in China, Russia, the United States and other countries.

Prowli malware is used to cryptocurrency mining and target users to malicious sites. This is a diverse operating system that relies on brute force attacks and vulnerabilities to infect and take over the device. Prowli known servers and devices infected in recent months are as follows:

WordPress sites (via several exploits and admin panel brute-force attacks)
Joomla! sites running the K2 extension (via CVE-2018-7482)
Several models of DSL modems (via a well-known vulnerability)
Servers running HP Data Protector (via CVE-2014-2623)
Drupal, PhpMyAdmin installations, NFS boxes, and servers with exposed SMB ports (all via brute-force credentials guessing)

In addition, Prowli’s manipulators also ran the SSH scanner module and tried to guess the device username and password that exposed the SSH port.

Image: guardicore

Once the server or IoT device is attacked, the Prowli operator determines if the equipment is available for mining. After confirmation, the manipulator infects it through the Monroe mining program and the R2R2 worm. The R2R2 worm performs SSH brute-force attacks on hacked devices and helps the Prowli botnet grow further.

In addition, the CMS platform running the website encountered a backdoor infection (WSO Web Shell). The attacker modifies the attacked Web site through the WSO Web Shell. Hosting malicious code redirects some of the site’s visitors to the traffic distribution system (TDS). The TDS then rents the hijacked network traffic to other attackers and redirects the user to Various malicious websites, such as fake technical support websites and update websites.

GuardiCore stated that the TDS system used by the attacker is EITest (also known as ROI777). In March 2018, ROI777 was hacked. After some of its data were leaked to the Internet, Internet Security shut down the system in April. Despite this, this does not seem to prevent the pace of action of the Prowli botnet.

According to the researchers, the attackers carefully designed and optimized the entire operation. Prowli malware infected more than 4,000 companies and more than 40,000 servers and devices on the network and then used these devices to make money, and the victims of the software. Worldwide.

GuardiCore mentioned Prowli’s attack indicators (IoC) and other details in the report, which system administrators can use to check their IT networks for attacks.

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.


We respect your inbox. Unsubscribe anytime.

Related coverage

  • Beyond AI Lures: Noodlophile Stealer Evolves with Stealthy Copyright Phishing
  • Contagious Interview & WageMole: North Korea’s New Cyber Espionage Campaigns
  • NPM Package Tests AI Malware Scanner Evasion
  • DigiEver DVR Vulnerability Under Attack by Hail Cock Botnet
  • ReversingLabs Exposes Malicious npm Packages Storing Stolen SSH Keys on GitHub

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: Prowli malware

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-48282CVSS 10.0
    ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2024-14037CVSS 9.8
    Redsea Cloud eHR contains an arbitrary file upload vulnerability that allows unauthenticated attackers to achieve remote code execution...
    Admin intel📅 Updated: Jul 3, 2026
  • CVE-2026-8451CVSS 8.8
    Insufficient input validation in NetScaler ADC and NetScaler Gateway leading to memory overread if NetScaler ADC or NetScaler Gateway is configured...
    Admin intel📅 Updated: Jul 2, 2026
  • CVE-2026-8037CVSS 9.6
    OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an un-authenticated attacker to...
    Admin intel📅 Updated: Jul 1, 2026
  • CVE-2026-45659CVSS 8.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 1, 2026
  • CVE-2026-48558CVSS 10.0
    SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication...
    Admin intelCISA KEV📅 Added to KEV: Jun 29, 2026📅 Updated: Jun 29, 2026
  • CVE-2026-46817CVSS 9.8
    Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected...
    Admin intel📅 Updated: Jun 29, 2026
  • CVE-2026-28496CVSS 9.4
    FOSSBilling is a free, open-source billing and client management system. Versions prior to 0.8.0 have a Server-Side Template...
    Admin intel📅 Updated: Jun 25, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-58426CVSS 9.6
    Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read...
  • CVE-2026-58289CVSS 9.0
    Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based)...
  • CVE-2026-22874CVSS 9.6
    Gitea versions up to and including 1.26.2 have incomplete SSRF protection in...
  • CVE-2026-20896CVSS 9.8
    Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by...
  • CVE-2026-4321CVSS 9.8
    Improper neutralization of special elements used in an SQL command ('SQL injection')...
  • CVE-2026-14544CVSS 9.8
    A flaw was found in HPLIP (HP Linux Imaging and Printing Software)....
  • CVE-2026-9725CVSS 9.1
    The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress...
  • CVE-2026-13768CVSS 10.0
    Gardyn devices expose a privileged iothubowner key. Access to this key will...
  • CVE-2026-57100CVSS 9.9
    Server-side request forgery (ssrf) in Microsoft Entra Provisioning Service (SyncFabric) allows an...
  • CVE-2026-45499CVSS 9.9
    Server-side request forgery (ssrf) in Azure OpenAI allows an authorized attacker to...
Powered by CVE WATCHTOWER

Get Zero-Hour Vulnerability Alerts

Critical CVEs, CVSS scores, and PoC updates — straight to your inbox every week.

    We respect your inbox. Unsubscribe anytime.

    Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • Disclaimer
    • Privacy Policy
    • DMCA NOTICE
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.