2 min

A new botnet called Prometei is targeting the cryptocurrency Monero. According to Cisco Talos researchers, Prometei is designed to brute force into as many devices as possible, and mine Monero (XRM) cryptocurrency on behalf of its operators.

Prometei has been active since March and uses a mix of stolen credentials, binaries (such as PsExec and WMI) and SMB exploits to gain access to a large number of devices. One basic module contains about 15 attack components that rapidly encrypt the data before it is transferred to the C&C server. Cisco Talos believes the different botnet modules are all controlled by a single entity.


Prometei also tries to recover admin passwords. If successful, these passwords are sent to the C2-server, and other modules will use them to try to gain access elsewhere in the system.

As the icing on the cake, the botnet also installs Mimikatz malware on the network. This malware is designed to steal passwords. If this is successful, a version of the EternalBlue exploit is used to launch that basic module. This basic module can be recognised by the file name Searchindexer.exe. However, the question is whether you can easily find it: Prometei also uses anti-detection.


Monero is a cryptocurrency that exists since 2014. The purpose of Monero is to have a high standard of privacy and to establish a robust system. However, it is not nearly as transparent as bitcoin, which means that the sender and receiver in a transaction can remain anonymous.

In addition, the way in which mining with Monero works is very different from bitcoin, which makes it slightly more accessible to do this on a personal computer. Unfortunately, hackers take advantage of this by mining on devices that are not their own with all of the consequences that come with it.