Undisclosed UK Construction Firm
January 1, 2026
•[ malware, botnet, cryptojacking ]
eSentire TRU finds that a UK construction firm discovered Prometei malware on a Windows Server in January 2026. Researchers assessed initial access likely occurred via Remote Desktop Protocol using guessed weak/default credentials. Once inside, Prometei established persistence (service UPlugPlay and file sqhost.exe), downloaded an encrypted payload (zsvc.exe), routed traffic through TOR, and used Mimikatz (labelled miWalk) to steal passwords across the network. The report described Prometei as a Russia-linked botnet used for Monero mining and credential theft, and did not describe customer data exposure or service shutdown.
