81/69 Tuesday, February 10, 2026
Researchers from eSentire have reported the discovery of Prometei botnet malware embedded within a construction company’s Windows Server in the United Kingdom in January 2026. Threat actors gained access through Remote Desktop Protocol (RDP) services that were protected by weak or easily guessable passwords, including default credentials. While Prometei primarily aims to hijack victim resources to mine the cryptocurrency Monero, analysis revealed that the malware is also capable of stealing passwords and remotely controlling compromised systems.
Once successfully embedded, the malware installs a service named UPlugPlay and creates a file called sqhost.exe to maintain persistence whenever the system restarts. It then downloads the primary payload, zsvc.exe, and leverages the tool Mimikatz to extract credentials from within the network. Communications are routed through the TOR network to reduce the likelihood of detection. Researchers also identified sandbox evasion techniques: the malware searches for specific files within the environment, and if conditions are not met, it performs decoy activities designed to mimic normal system behavior, thereby lowering the chances of behavioral analysis.
Another notable characteristic of Prometei is its “jealous tenant” behavior. The malware downloads a tool named netdefender.exe to block other hackers from accessing the compromised machine, effectively monopolizing the victim’s resources. To mitigate this threat, experts recommend eliminating default passwords, enforcing strong password policies, enabling multi-factor authentication (MFA), and keeping software up to date to reduce the risk of system compromise.
Source https://hackread.com/uk-construction-firm-prometei-botnet-windows-server/
