Malware, Security Operations, Threat Intelligence

Prometei botnet exploits weak passwords on UK construction firm’s server

botnet virus at a computer screen skull

A UK construction firm discovered the Prometei botnet, a sophisticated Russian-linked malware active since 2016, hiding on its Windows Server in January 2026. Security experts at eSentire's Threat Response Unit identified the intruder, which is known for mining Monero cryptocurrency but also excels at stealing passwords and taking remote control of systems, HackRead reports.

The Prometei botnet likely gained access to the construction firm's server by exploiting weak or default passwords via the Remote Desktop Protocol (RDP). Once inside, the malware installs itself using a service named UPlugPlay and a file named sqhost.exe to ensure persistence. It then downloads its main payload, zsvc.exe, which is heavily encrypted. Prometei gathers system information and uses tools like Mimikatz to steal passwords across the network, routing its traffic through the TOR network for anonymity. It employs tactics including sandbox bypass techniques and blocking of other unauthorized access attempts by downloading a tool called netdefender.exe, effectively acting as a digital "tenant from hell" that secures the system for its own illicit purposes.

eSentire has released tools to aid researchers in analyzing the malware, emphasizing the importance of proactive threat intelligence and regular software updates to mitigate such risks and prevent unauthorized access.

Source: HackRead

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds