Tenant from Hell: Prometei's Unauthorized Stay in Your Windows Server
Essential information
- Published
- 09/02/2026 10:17
- Modified
- 09/02/2026 11:44
- Tags
- 2026-02-09 botnet crypto mining prometei
- Related entities
- 3 vulnerabilities (cve), 16 observables, 1 intrusion sets (apt), 13 techniques (mitre), 1 malware, 2 others
Description
eSentire's Threat Response Unit detected Prometei botnet activity on a customer's Windows Server in the Construction industry. Prometei, a Russian-origin botnet active since 2016, features remote control, credential harvesting, crypto-mining, lateral movement, and C2 communication over clearweb and TOR. The malware uses complex encryption, including rolling XOR and RC4, for payload decryption and C2 communications. It establishes persistence as a Windows service, creates firewall exceptions, and downloads additional modules for specialized functions like credential theft and TOR routing. The attack likely began with compromised RDP credentials, followed by the execution of a malicious command to download and run the Prometei payload.