Prometei Botnet Targets Linux Servers for Cryptocurrency Mining Operations

Unit 42 researchers from Palo Alto Networks have identified a renewed wave of attacks by the Prometei botnet, specifically targeting Linux servers, as of March 2025.

Initially discovered in July 2020 with a focus on Windows systems, Prometei has since evolved, with its Linux variant gaining prominence since December 2020.

Resurgence of a Persistent Threat

The latest iterations, versions three and four, showcase advanced capabilities, including a backdoor for remote control, domain generation algorithms (DGA) for resilient command-and-control (C2) infrastructure, and self-updating mechanisms to evade detection.

This resurgence underscores Prometei’s persistent threat to organizations worldwide, with its primary objective being cryptocurrency mining, particularly Monero, alongside secondary goals like credential theft and additional payload deployment.

Prometei’s architecture is notably modular, allowing independent components to handle specific malicious tasks such as brute-forcing credentials, exploiting vulnerabilities like EternalBlue and Server Message Block (SMB) flaws, mining cryptocurrency ...