In January 2026, a construction firm in the UK uncovered a notorious digital intruder on its Windows Server, identified by security experts from the eSentire Threat Response Unit (TRU) as Prometei, a Russian-affiliated botnet that has been operational since 2016. While Prometei primarily focuses on mining Monero cryptocurrency, TRU’s investigation unveiled its capabilities in password theft and remote system control, underscoring the multifaceted threat it poses.
According to research shared by eSentire, it appears that the attackers exploited weak or default passwords to breach the system via Remote Desktop Protocol (RDP). This tactic exemplifies the digital equivalent of keeping one’s front door unlocked, making it alarmingly easy for cybercriminals to infiltrate vulnerable systems.
The Toolkit
Prometei is not just a single malicious file; it is a comprehensive toolkit designed for persistence. Once it breaches a system, it installs a service known as UPlugPlay and creates an executable file called sqhost.exe, ensuring it remains active with every system reboot. The malware’s initial action is to download its main component, zsvc.exe, from a server linked to Primesoftex Ltd., using heavy encryption to disguise its true nature.
Further analysis revealed that Prometei collects vital information such as the computer’s name and technical specifications through built-in Windows utilities. It utilizes a tool named Mimikatz, identified in the malware as miWalk, to extract passwords from the network while routing its communication through the anonymizing TOR network to evade detection.
Clever Disguises and Tactics
What distinguishes Prometei from other malware is its adeptness at avoiding detection. It searches for a specific file, mshlpda32.dll, to unpack its malicious code. If this file is absent, instead of failing outright, the malware executes decoy operations, presenting a façade of benign system activities to mislead security analysts attempting to study it in a controlled environment. Researchers refer to this strategy as a “sandbox bypass.”
Prometei exhibits behavior reminiscent of a “jealous tenant,” a term coined by researchers due to its aggressive protective measures against other potential threats. It installs netdefender.exe, a tool that proactively blocks other hackers from gaining access, while vigilantly monitoring for failed login attempts. This ironic twist reveals that the malware fortifies the compromised system solely to preserve its exclusive access.
Staying Protected
To safeguard against such threats, organizations must implement strong, complex passwords, moving away from easily guessable defaults. In response to the escalation of this and similar threats, eSentire has developed specialized tools that enable researchers to unpack and analyze the malware’s behavior. Experts further recommend the use of multi-factor authentication (MFA) and ensuring all software is kept up to date to mitigate vulnerabilities before a malicious entity can establish a foothold.
In summary, the tactics employed by Prometei align with several techniques outlined in the MITRE ATT&CK framework, notably initial access through compromised credentials, persistence via malicious services, and privilege escalation via credential dumping. Understanding these tactics is essential for any organization looking to bolster its cybersecurity defenses in an increasingly perilous digital landscape.