{
	"id": "fdec507e-2e7c-4254-ba32-c1d52c7ed730",
	"created_at": "2026-04-06T00:08:22.74731Z",
	"updated_at": "2026-04-10T03:22:04.011653Z",
	"deleted_at": null,
	"sha1_hash": "e851cd127892d100676f895199de81f7e7a8ff04",
	"title": "Meet Prometheus, the secret TDS behind some of today's malware campaigns",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 388284,
	"plain_text": "Meet Prometheus, the secret TDS behind some of today's malware\r\ncampaigns\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-18 · Archived: 2026-04-05 15:42:31 UTC\r\nA recently discovered cybercrime service is helping malware gangs distribute their malicious payloads to\r\nunsuspecting users using hacked websites.\r\nNamed Prometheus, the service is what security researchers call a \"traffic distribution system,\" also known as a\r\nTDS.\r\nHow the Prometheus TDS works\r\nThe idea is that malware gangs can rent access to Prometheus and receive an account on the TDS platform.\r\nBuyers can then access the account, configure the malware payload they want to distribute, the type of users they\r\nwant to target (based on details such as geographical location, browser or OS version), and provide a list of\r\nhacked web servers.\r\nThe Prometheus TDS will then scan the list of hacked websites and then zeploy its own backdoor to the hacked\r\nservers. Once this is done, Prometheus customers can then move on to send email spam campaigns where the\r\nemail text contains links to the hacked websites.\r\nWhen users click the links and land on the hacked site, the Prometheus backdoor analyzes the victim's browser\r\ndetails and, based on the campaign parameters, will either redirect the user to a clean web page or to one that hosts\r\na malicious file.\r\nhttps://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/\r\nPage 1 of 3\n\nSpotted by security firm Group-IB earlier this spring, Prometheus is currently advertised on underground\r\ncybercrime forums for prices ranging from 30$ for 2 days of access to the platform to $250 a month.\r\nThe Prometheus ad, which dates back to August 2020, suggests the service has been live and used by malware\r\ngangs for almost a year.\r\nGroup-IB researchers said they discovered several campaigns where malware samples distributed through hacked\r\nweb servers were bearing the mark and URL schemes of the Prometheus TDS, including some of today's most\r\ndangerous malware strains, such as Campo Loader, IcedID, QBot, SocGholish, and Buer Loader.\r\nGroup-IB's recent findings come to show once again that the current cybercrime ecosystem is not made up of just\r\nthe people who create malware.\r\nIn almost all current malware campaigns, there are always at least two or three different groups working together\r\nto provide various services or features, which can usually include the likes of malware crypting, antivirus\r\ncheckers, Office file weaponization (exploit building), spam-sending services, traffic distribution systems, and,\r\nmany others.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/\r\nPage 2 of 3\n\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/\r\nhttps://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/"
	],
	"report_names": [
		"meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns"
	],
	"threat_actors": [],
	"ts_created_at": 1775434102,
	"ts_updated_at": 1775791324,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e851cd127892d100676f895199de81f7e7a8ff04.pdf",
		"text": "https://archive.orkl.eu/e851cd127892d100676f895199de81f7e7a8ff04.txt",
		"img": "https://archive.orkl.eu/e851cd127892d100676f895199de81f7e7a8ff04.jpg"
	}
}