Windows servers remain a high-value target for the Prometei botnet, according to a January 2026 incident analyzed by eSentire’s Threat Response Unit (TRU).
The activity involved a compromised Windows Server supporting operations in the construction sector, reinforcing concerns that attackers continue to exploit basic security gaps rather than relying on new exploits.
Prometei has been active since 2016 and is primarily associated with financially motivated campaigns. Its core capabilities include credential harvesting, lateral movement, and Monero crypto-mining.
What makes the malware particularly effective in server-related environments is its heavy reliance on native Windows features, which allows it to blend in with legitimate administrative activity when endpoint visibility is limited.
According to an advisory published by eSentire over the weekend, investigators were unable to conclusively identify the initial access vector in this case due to lacking logging capabilities and the absence of endpoint detection and response tooling.
However, the malware components observed strongly suggest that the attackers used weak/reused credentials for Remote Desktop Protocol (RDP) access, a common means of entry previously seen with Prometei.
Prometei’s Windows-Focused Attack Chain
After gaining access, Prometei executed a chained Command Prompt routine with PowerShell access to decrypt and launch its primary payload. The malware installs itself as an auto-start Windows service, ensuring persistence after reboots, and adds firewall and Microsoft Defender exclusions to reduce the chance of detection or disruption.
The malware then profiles the server using built-in Windows utilities to collect details such as operating system version, hardware characteristics, and installed security software.
This information is sent to attacker-controlled infrastructure to register the system and enable tasking. If required files are missing, Prometei deliberately performs benign “decoy” actions and exits, a technique designed to evade automated sandbox analysis.
In later stages, Prometei can deploy additional modules for credential theft, network propagation, and anonymous command-and-control (C2) traffic.
According to eSentire, implementing robust authentication for remote access tools, tracking service creation and registry modifications, and providing effective endpoint visibility will help limit the effects of persistent botnets such as Prometei.
