Tenant from Hell: Prometei's Unauthorized Stay in Your Windows Server

eSentire's Threat Response Unit detected Prometei botnet activity on a customer's Windows Server in the Construction industry. Prometei, a Russian-origin botnet active since 2016, features remote control, credential harvesting, crypto-mining, lateral movement, and C2 communication over clearweb and TOR. The malware uses complex encryption, including rolling XOR and RC4, for payload decryption and C2 communications. It establishes persistence as a Windows service, creates firewall exceptions, and downloads additional modules for specialized functions like credential theft and TOR routing. The attack likely began with compromised RDP credentials, followed by the execution of a malicious command to download and run the Prometei payload.

Pulse ID: 6989b43679c3651b67e4a034
Pulse Link: https://otx.alienvault.com/pulse/6989b43679c3651b67e4a034
Pulse Author: AlienVault
Created: 2026-02-09 10:17:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CredentialHarvesting #CyberSecurity #Encryption #InfoSec #Malware #OTX #OpenThreatExchange #RDP #Russia #ThreatResponseUnit #Windows #bot #botnet #eSentire #AlienVault

Rekordowy atak DDoS 31,4 Tb/s – nowe zagrożenie dla internetu w 2026 roku

31,4 Tb/s. Nie, to nie nowy światłowód do metawersum, tylko tempo, w jakim ktoś próbował zatopić cudzy internet w listopadzie.

Czytaj dalej:
https://pressmind.org/rekordowy-atak-ddos-314-tbs-nowe-zagrozenie-dla-internetu-w-2026-roku/

#PressMindLabs #aisurukimwolf #androidtv #botnet #cloudflare #ddos

State-sponsored hackers compromised a beloved developer tool while AI platforms exposed millions of sensitive records.
#cybersecurity #supplychainattack #stateSponsored #botnet #databreach

https://cybernewsweekly.substack.com/p/cybersecurity-news-review-week-6-43e

Silent Push, from yesterday: Silent Push Identifies More Than 10,000 Infected IPs as Part of SystemBC Botnet Malware Family https://www.silentpush.com/blog/systembc/

More:

Infosecurity-Magazine: Global SystemBC Botnet Found Active Across 10,000 Infected Systems https://www.infosecurity-magazine.com/news/global-systembc-botnet-10000/ #infosec #malware #botnet

The number of botnet C&C servers continued to 📈 rise between July & December 2025, increasing by 🔺+24% #botnet #threats #report [ https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/ ] 📎 (PDF) [ https://content.spamhaus.org/30bc0262-14ee-42d9-93bb-31985ef89497.pdf ] via The Spamhaus Project #informatique

New. You'd think it's Tuesday, based on today's prolific output.

Picus: CVE-2026-21509: APT28 Exploits Microsoft Office Zero-day Vulnerability https://www.picussecurity.com/resource/blog/cve-2026-21509-apt28-exploits-microsoft-office-zero-day-vulnerability

Securonix: Analyzing Dead#Vax: Analyzing Multi-Stage VHD Delivery and Self-Parsing Batch Scripts to Deploy In-Memory Shellcode https://www.securonix.com/blog/deadvax-threat-research-security-advisory/

Silent Push Identifies More Than 10,000 Infected IPs as Part of SystemBC Botnet Malware Family https://www.silentpush.com/blog/systembc/

Sophos: Malicious use of virtual machine infrastructure https://www.sophos.com/en-us/blog/malicious-use-of-virtual-machine-infrastructure @sophos

Tenable: LookOut: Discovering RCE and Internal Access on Looker (Google Cloud & On-Prem) https://www.tenable.com/blog/google-looker-vulnerabilities-rce-internal-access-lookout @tenable #infosec #Google #Microsoft #threatresearch #zeroday #vulnerability #malware #botnet

.ru serious? 🇷🇺 ccTLD .ru had an unbelievable +3741% ⏫ in #botnet C&C domains, placing it #1 for the most abused ccTLD in the latter half of 2025. This activity can be attributed almost entirely to #clearfake, a malicious JavaScript framework.

Learn more in the Botnet Threat Update Jul - Dec 2025 ⤵️ ⤵️
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/

#ccTLD #BotnetCC #ThreatIntel

Su atención por favor. Todo esto está pasando muy rápido.

#openclaw (antes #clawdbot, luego #moltbot) tiene una mal llamada "red social" (social network) tipo reddit: https://www.moltbook.com/

Seguro saldrá en los medios o los escucharán por ahí por el revuelo que está cusando en internet, pero llamémoslo por su nombre, es una #botnet. Los #bots *no* son seres sociables, siguen siendo calculadoras de palabras que aparentan inteligencia

"IPIDEA enttarnt: Google stoppt zentrale Drehscheibe für Botnetze und APTs"

https://www.infopoint-security.de/schlag-gegen-globales-proxy-netzwerk-gtig-zerschlaegt-zentrale-infrastruktur-von-ipidea/a43507/

#botnet #cybersecurity

#Aisuru #botnet sets new record with 31.4 Tbps #DDoS attack

https://www.bleepingcomputer.com/news/security/aisuru-botnet-sets-new-record-with-314-tbps-ddos-attack/

#cybersecurity

Exposed BYOB C2 Infrastructure Reveals a Multi-Stage Malware Deployment

An exposed open directory on a command and control server revealed a complete deployment of the BYOB (Build Your Own Botnet) framework. The multi-stage infection chain targets Windows, Linux, and macOS platforms, implementing seven persistence mechanisms. The malware includes extensive post-exploitation capabilities such as keylogging, packet capture, and email harvesting. Analysis uncovered a modular design with encrypted C2 communications and infrastructure reuse across multiple regions. Two nodes also hosted XMRig cryptocurrency miners, indicating additional monetization efforts. The campaign has been operational for approximately 10 months, demonstrating geographic and provider diversification in its infrastructure.

Pulse ID: 697b5776280717e17bf1db93
Pulse Link: https://otx.alienvault.com/pulse/697b5776280717e17bf1db93
Pulse Author: AlienVault
Created: 2026-01-29 12:49:58

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Email #InfoSec #Linux #Mac #MacOS #Malware #OTX #OpenThreatExchange #RAT #SMS #Windows #bot #botnet #cryptocurrency #AlienVault

Who Operates the #Badbox 2.0 #Botnet?

https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/

#cybersecurity

New, from me: Who Operates the Badbox 2.0 Botnet?

The cybercriminals in control of Kimwolf -- a disruptive botnet that has infected more than 2 million devices -- recently shared a screenshot indicating they'd compromised the control panel for Badbox 2.0, a vast China-based botnet powered by malicious software that comes pre-installed on many Android TV streaming boxes. Both the FBI and Google say they are hunting for the people behind Badbox 2.0, and thanks to bragging by the Kimwolf botmasters we may now have a much clearer idea about that.

https://krebsonsecurity.com/2026/01/who-operates-the-badbox-2-0-botnet/

#infosec #botnet #IoT #Android #Google #threatresearch

#Kimwolf #Botnet Lurking in Corporate, Govt. Networks

https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/

#cybersecurity #malware

#Kimwolf #Botnet Lurking in Corporate, Govt. Networks

A new #IoT botnet called Kimwolf has spread to more than 2 million devs, forcing infected systems to participate in massive #DDoS attacks & to relay other malicious & abusive Internet traffic. Kimwolf’s ability to scan the local networks of #compromised systems for other IoT devices to infect makes it a sobering threat to organizations…surprisingly prevalent in government and corporate networks.
#security #privacy

https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/

EtherRAT Targeting Windows Disguised as a Game Mod Installer

A Windows variant of EtherRAT, a JavaScript-based malware, has been discovered disguised as game mod installers. The malware uses MSI files to create and execute obfuscated scripts that decrypt and run the main payload. EtherRAT retrieves its Command and Control (C2) server addresses dynamically through Ethereum smart contracts, employing anti-analysis techniques and establishing persistence via Registry Run keys. The malware's infrastructure has been linked to the Tsundere Botnet, sharing C2 servers and smart contract similarities. Analysis revealed multiple contract addresses and wallet addresses associated with the attacker, indicating an expanding and evolving operation targeting both Windows and Linux systems.

Pulse ID: 6970c8427c1fd561ba4d962a
Pulse Link: https://otx.alienvault.com/pulse/6970c8427c1fd561ba4d962a
Pulse Author: AlienVault
Created: 2026-01-21 12:36:18

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Java #JavaScript #Linux #Malware #OTX #OpenThreatExchange #RAT #Windows #bot #botnet #AlienVault

XWorm 🪱 slithers up three spots to rank #6, with a +118% ⏫ increase in #botnet C&Cs between July and December 2025—now the 3rd most observed Remote Access Trojan (RAT).

Get the full list and read the FREE report here 🔎
https://www.spamhaus.org/resource-hub/botnet-c-c/botnet-threat-update-july-to-december-2025/

#Malware #BotnetCC #ThreatIntel

New, from me: The Kimwolf Botnet is Lurking in Corporate, Govt. Networks

A new Internet-of-Things botnet called Kimwolf has spread to more than 2 million devices, forcing infected systems to participate in massive distributed denial-of-service (DDoS) attacks and to relay other malicious and abusive Internet traffic. Kimwolf’s ability to scan the local networks of compromised systems for other IoT devices to infect makes it a sobering threat to organizations, and new research reveals Kimwolf is surprisingly prevalent in government and corporate networks.

https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/

#botnet #infosec #IoT #DDoS #threatresearch #malware

Analyzing React2Shell Threat Actors

This report analyzes the exploitation of CVE-2025-55182, known as React2Shell, a critical vulnerability in React Server Components. It examines various attack payloads, including credential harvesters, reverse shells, and botnet loaders. The analysis reveals rapid weaponization of the vulnerability, with attackers employing sophisticated techniques like fileless downloaders, raw TCP stagers, and creative use of framework errors. The report also highlights the top 10 exploited CVEs for December, with React2Shell quickly rising to the second most targeted vulnerability. Key indicators of compromise and recommended mitigation strategies are provided to help organizations defend against these threats.

Pulse ID: 696b8bd46b346ef957af57ad
Pulse Link: https://otx.alienvault.com/pulse/696b8bd46b346ef957af57ad
Pulse Author: AlienVault
Created: 2026-01-17 13:17:08

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #TCP #Vulnerability #bot #botnet #AlienVault

#Lumen disrupts #AISURU and #Kimwolf #botnet by blocking over 550 C2 servers
https://securityaffairs.com/186918/cyber-crime/lumen-disrupts-aisuru-and-kimwolf-botnet-by-blocking-over-550-c2-servers.html
#securityaffairs #hacking #malware