Linux Servers Exploited by Prometei Botnet for Cryptocurrency Mining

Security researchers from Palo Alto Networks’ Unit 42 identified a significant increase in attacks targeting Linux servers using newly evolved variants of the Prometei botnet.

Originally detected in 2020, Prometei has expanded far beyond its initial Windows focus and now employs sophisticated methods to compromise Linux environments, primarily for illicit Monero (XMR) mining and credential theft.

Infection Chain

Prometei’s Linux branch reflects ongoing and active development, establishing it as a formidable, multipurpose modular threat.

The malware is distributed primarily via HTTP GET requests to attacker-controlled infrastructure, specifically hxxp://103.41.204[.]104/k.php?a=x86_64.

The distributed executable, misleadingly named with a .php extension, is not a PHP script but a UPX-packed 64-bit ELF binary designed for stealth and anti-analysis.

This packing technique, present in versions released since March 2025, impedes standard forensic unpacking by embedding custom JSON configuration trailers.

Upon execution, the malware decompresses itself in memory, launches the real payload, and begins system profiling.

Prometei harvests processor, motherboard, OS, uptime, and kernel details using typical Linux utilities (/proc/cpuinfo, dmidecode, /etc/os-release, uname -a).

This data is exfiltrated to its command and control (C2) endpoint at hxxp://152.36.128[.]18/cgi-bin/p.cgi.

Threat Capabilities

Prometei deploys a variety of modules to fulfill its core objectives:

• Initial Exploitation: Brute-forcing administrator credentials and exploiting known protocol vulnerabilities such as SMB.
• Payload Delivery & Lateral Movement: Self-propagation through networked Linux and Windows systems.
• Cryptomining: Leveraging infected host resources for Monero mining.
• Credential Theft & Data Exfiltration: Harvesting sensitive information and maintaining secure remote access.

A notable architectural feature is Prometei’s use of a domain generation algorithm (DGA), ensuring resiliency for its C2 communications even if domains are blocklisted.

Crucially, the malware is self-updating, capable of replacing or augmenting its modules on infected systems without requiring a new infection chain substantially increasing persistence and adaptability.

Prometei’s adaptations, including anti-forensic UPX packing and dynamic configuration, make detection challenging.

However, updated behavioral analytics and signature-based detection such as YARA rules identifying UPX-packed Linux binaries with appended JSON remain effective.

Security teams are urged to maintain vigilance and ensure robust endpoint and network defense postures, focusing on anomaly detection and rapid response.

Palo Alto Networks has responded by deploying updated threat intelligence and protections across its Cortex XDR, XSIAM, Advanced WildFire, and network security solutions.

The international security community, coordinated via the Cyber Threat Alliance, has been warned to ensure swift global disruption of the botnet’s infrastructure.

Security teams and administrators are urged to review systems for these indicators and strengthen preventive controls on Linux infrastructure amid this persistent botnet threat.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates