Resurgence of the Prometei Botnet

    Monday, June 23, 2025 In: Threat Research Print

    Date: 06/23/2025

    Severity: High

    Summary

    Our researchers have observed a new wave of Prometei botnet activity. Prometei refers to both the malware family and the botnet infrastructure used to remotely control compromised Linux and Windows systems for Monero mining and credential theft. This report highlights the resurgence of the Linux variant, which is still under active development and now includes new modules and capabilities. Recent versions feature a backdoor for expanded malicious activity, employ domain generation algorithms (DGAs) for C2 communication, and include self-updating functions for stealth.

    Indicators of Compromise (IOC) List 

    Domains\URLs : 

    http://103.41.204.104/k.php

    http://152.36.128.18/cgi-bin/p.cgi

    Hash : 

    46cf75d7440c30cbfd101dd396bb18dc3ea0b9fe475eb80c4545868aab5c578c

    cc7ab872ed9c25d4346b4c58c5ef8ea48c2d7b256f20fe2f0912572208df5c1a

    205c2a562bb393a13265c8300f5f7e46d3a1aabe057cb0b53d8df92958500867

    656fa59c4acf841dcc3db2e91c1088daa72f99b468d035ff79d31a8f47d320ef

    67279be56080b958b04a0f220c6244ea4725f34aa58cf46e5161cfa0af0a3fb0

    7a027fae1d7460fc5fccaf8bed95e9b28167023efcbb410f638c5416c6af53ff

    87f5e41cbc5a7b3f2862fed3f9458cd083979dfce45877643ef68f4c2c48777e

    b1d893c8a65094349f9033773a845137e9a1b4fa9b1f57bdb57755a2a2dcb708

    d21c878dcc169961bebda6e7712b46adf5ec3818cc9469debf1534ffa8d74fb7

    d4566c778c2c35e6162a8e65bb297c3522dd481946b81baffc15bb7d7a4fe531

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs:

    domainname like "http://152.36.128.18/cgi-bin/p.cgi" or url like "http://152.36.128.18/cgi-bin/p.cgi" or siteurl like "http://152.36.128.18/cgi-bin/p.cgi" or domainname like "http://103.41.204.104/k.php" or url like "http://103.41.204.104/k.php" or siteurl like "http://103.41.204.104/k.php"

    Hash :

    sha256hash IN ("cc7ab872ed9c25d4346b4c58c5ef8ea48c2d7b256f20fe2f0912572208df5c1a","656fa59c4acf841dcc3db2e91c1088daa72f99b468d035ff79d31a8f47d320ef","205c2a562bb393a13265c8300f5f7e46d3a1aabe057cb0b53d8df92958500867","d4566c778c2c35e6162a8e65bb297c3522dd481946b81baffc15bb7d7a4fe531","46cf75d7440c30cbfd101dd396bb18dc3ea0b9fe475eb80c4545868aab5c578c","87f5e41cbc5a7b3f2862fed3f9458cd083979dfce45877643ef68f4c2c48777e","67279be56080b958b04a0f220c6244ea4725f34aa58cf46e5161cfa0af0a3fb0","7a027fae1d7460fc5fccaf8bed95e9b28167023efcbb410f638c5416c6af53ff","b1d893c8a65094349f9033773a845137e9a1b4fa9b1f57bdb57755a2a2dcb708","d21c878dcc169961bebda6e7712b46adf5ec3818cc9469debf1534ffa8d74fb7")

    Reference:

    https://unit42.paloaltonetworks.com/prometei-botnet-2025-activity/


    Tags

    MalwarePrometeiBotnetMonerominingCredentialTheftBackdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.