“Tenant from Hell”: Russian Botnet Squats in UK Construction Firm’s Server

It started with a sluggish server and a few odd login attempts - nothing unusual for a busy UK construction firm. But when security teams swept the company’s digital “premises,” they found a squatter lurking deep in the system: Prometei, a crafty Russian botnet that had made itself at home, barricading the doors and quietly stealing resources.

Fast Facts

• Prometei botnet infiltrated a UK construction firm’s Windows Server in January 2026.
• Attackers exploited weak or default RDP passwords to gain initial access.
• Prometei mines Monero cryptocurrency, steals passwords, and enables remote control.
• It uses advanced evasion tactics, including sandbox bypass and blocking other hackers.
• Researchers recommend strong passwords, MFA, and regular updates for defense.

An Unwelcome Guest with a Full Toolkit

Unlike smash-and-grab malware, Prometei is a digital squatter with a plan. Once inside, it doesn’t just hide - it fortifies its position. The attack began with the hackers exploiting the Remote Desktop Protocol (RDP), likely using weak or default credentials. This basic misstep handed them the keys to the server, allowing Prometei to move in undetected.

Prometei isn’t a single file. It’s a toolkit, deploying components like UPlugPlay and sqhost.exe to ensure persistence. Its main payload, zsvc.exe, is downloaded in encrypted form from infrastructure linked to Primesoftex Ltd., a company with ties to Russian cybercrime circles.

Mining, Stealing, and Locking Down

Once settled, Prometei gets to work: mining Monero cryptocurrency to line its operators’ pockets while also stealing every password it can find using the infamous Mimikatz tool (disguised as “miWalk”). All stolen data and malicious traffic are funneled through the anonymous TOR network, making detection and tracing nearly impossible.

But Prometei’s paranoia sets it apart. Like a tenant who changes the locks, it deploys netdefender.exe to block other hackers from accessing the compromised system. It even monitors for failed login attempts and proactively shuts the door on would-be intruders, ensuring exclusive access for its own malicious agenda. Ironically, the malware ends up “hardening” the server - just not for the owner’s benefit.

Clever Evasion and Defensive Moves

Prometei’s operators are masters of disguise. The malware checks for a specific file (mshlpda32.dll) before unpacking its code. If it doesn’t find it, Prometei runs fake system tasks to throw off security researchers trying to analyze it in a sandboxed environment - a classic “sandbox bypass” trick.

To help defenders, security firm eSentire released tools for unpacking and studying Prometei’s moves. But the first line of defense remains simple: ditch default passwords, enable multi-factor authentication, and keep systems patched. A little digital hygiene goes a long way toward keeping unwanted tenants out.

Conclusion

Prometei’s latest break-in is a stark reminder: cybercriminals don’t need sophisticated exploits if basic defenses are neglected. With its bag of tricks, this botnet isn’t just a thief - it’s a squatter who fortifies your home against everyone but itself. For businesses everywhere, the lesson is clear: secure your digital doors before someone else moves in and changes the locks.

WIKICROOK

• Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
• Remote Desktop Protocol (RDP): Remote Desktop Protocol (RDP) lets users access and control a computer remotely. Without proper security, it can be vulnerable to cyberattacks.
• Mimikatz: Mimikatz is a tool that extracts passwords and authentication data from Windows computers, often used in cybersecurity testing and by hackers.
• Sandbox: A sandbox is a secure, isolated environment where experts safely analyze suspicious files or programs without endangering real systems or data.
• Multi: Multi refers to using a combination of different technologies or systems - like LEO and GEO satellites - to improve reliability, coverage, and security.