A wave of attacks by the Prometei botnet was identified in March 2025, with focus on the Linux variant.
Prometei allows compromised systems to be remotely controlled for cryptocurrency mining and credential theft.
Latest variants feature a backdoor enabling various malicious activities and employ domain generation algorithm for command and control, and self-updating features for stealth and evasion of detection.
Static analysis of versions 3 and 4 reveals key functional differences compared to version 2.
The Linux variant of the Prometei botnet can be detected via a YARA rule identifying Ultimate Packer for Executables and a configuration JSON trailer, a method likely to remain effective despite the botnet’s evolution.
Protection against the Prometei botnet is provided by Network Security solutions Advanced WildFire, Advanced Threat Prevention, Advanced URL Filtering and Advanced DNS Security, and also through the Cortex product range.
If compromised or for urgent matters, the Unit 42 Incident Response team can be contacted.
Details of the Prometei botnet, including IoCs, are shared with fellow Cyber Threat Alliance members to deploy protections to customers and systematically disrupt malicious cyber actors.
