UK Construction Firm Hit by Prometei Botnet Hiding in Windows Server

Cybersecurity firm eSentire’s TRU break down the Russian Prometei botnet attack on a UK firm, detailing its TOR usage, password theft and decoy tactics.

In January 2026, a UK construction firm discovered a digital “tenant from hell” hiding on its Windows Server. Security experts from the eSentire Threat Response Unit (TRU) identified the intruder as Prometei, a Russian-linked botnet active since 2016. While its main job is mining Monero cryptocurrency, TRU’s research revealed that it also excels at stealing passwords and taking remote control of systems.

The research, which was shared with Hackread.com, suggests the attackers didn’t need to be geniuses to get in. They likely just guessed easy or default passwords to gain access via the Remote Desktop Protocol (RDP). As we know it, using weak credentials is the digital equivalent of leaving your front door wide open.

The Toolkit

For your information, Prometei isn ...