A UK construction firm discovered the Prometei botnet, a sophisticated Russian-linked malware active since 2016, hiding on its Windows Server in January 2026. Security experts at eSentire's Threat Response Unit identified the intruder, which is known for mining Monero cryptocurrency but also excels at stealing passwords and taking remote control of systems, HackRead reports.The Prometei botnet likely gained access to the construction firm's server by exploiting weak or default passwords via the Remote Desktop Protocol (RDP). Once inside, the malware installs itself using a service named UPlugPlay and a file named sqhost.exe to ensure persistence. It then downloads its main payload, zsvc.exe, which is heavily encrypted. Prometei gathers system information and uses tools like Mimikatz to steal passwords across the network, routing its traffic through the TOR network for anonymity. It employs tactics including sandbox bypass techniques and blocking of other unauthorized access attempts by downloading a tool called netdefender.exe, effectively acting as a digital "tenant from hell" that secures the system for its own illicit purposes.eSentire has released tools to aid researchers in analyzing the malware, emphasizing the importance of proactive threat intelligence and regular software updates to mitigate such risks and prevent unauthorized access.Source: HackRead
Malware, Security Operations, Threat Intelligence
Prometei botnet exploits weak passwords on UK construction firm’s server

(Adobe Stock)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



