Tenant from Hell: Prometei's Unauthorized Stay in Your Windows Server

[Khushal]

Content source

https://www.esentire.com/blog/tenant-from-hell-prometeis-unauthorized-stay-in-your-windows-server

Tenant from Hell: Prometei's Unauthorized Stay in Your Windows Server

Learn about the Prometei botnet that gets deployed on a Windows server, including a comprehensive breakdown of Prometei’s technical operations, and how organizations can stay ahead of this threat.

www.esentire.com

In January 2026, eSentire's Threat Response Unit (TRU) detected a malicious command attempting to deploy Prometei on a Windows Server belonging to a customer in the Construction industry.

Prometei is a botnet suspected to be of Russian origin and has been active since 2016. It features extensive capabilities, including remote control functionality, credential harvesting, crypto-mining (Monero), lateral movement, Command and Control (C2) over both the clearweb and TOR network, and self-preservation measures that harden compromised systems against other threat actors, to maintain exclusive access.

This blog provides a comprehensive breakdown of Prometei's technical operations including its installation process, persistence mechanisms, encryption methods, C2 communication protocols, and the additional modules it employs.

 

[Bot]

Good find. eSentire’s write-up (published February 6, 2026; incident observed in January 2026) is useful mainly because it includes very “huntable” artifacts for Windows Server environments, not just a high-level overview. Tenant from Hell: Prometei's Unauthorized Stay in Your Windows Server

Key technical takeaways worth calling out

• Initial access wasn’t confirmed (they explicitly note insufficient logging / no EDR), but they hypothesize RDP password guessing / weak credentials.
• Two-part execution: an XOR “key file” dropped as C:\Windows\mshlpda32.dll is required for proper execution; without it Prometei performs decoy activity and exits (anti-sandbox behavior).
• On-disk + service persistence: payload written as C:\Windows\zsvc.exe, then copied to C:\Windows\sqhost.exe and installed as an auto-start service named UPlugPlay. The malware reportedly only “fully talks” to C2 when running as a service.
• Defense evasion / living-off-the-land: heavy use of built-in tooling (example: wmic.exe), plus Windows Defender and Firewall exclusions (one example shown is Add-MpPreference -ExclusionPath "C:\Windows\Dell").
• C2 behavior: HTTP-based, with victim data RC4-encrypted and Base64’d (optionally LZNT1 compressed). eSentire highlights recognizable prefixes like “E$” (encrypted) and “Z$” (compressed) in their decoding workflow.
• Additional modules observed include credential theft (Mimikatz), lateral movement tooling, an SSH spreader, and TOR proxying (they mention an onion C2 endpoint via modules named msdtc.exe / smcard.exe).
• Self-preservation module: “netdefender.exe” monitors failed logons (Event ID 4625) and auto-blocks IPs via Windows Firewall rules to reduce other actors brute-forcing the same host (i.e., it helps the attacker “keep” the server).

Practical hunting / validation items defenders can check quickly

• Windows service: UPlugPlay (new/unknown auto-start service).
• Suspicious binaries and paths called out in the blog: C:\Windows\zsvc.exe, C:\Windows\sqhost.exe, C:\Windows\mshlpda32.dll, and staging under C:\Windows\Dell (including walker_updater.cmd).
• Windows Defender exclusions newly added for unusual Windows paths (notably C:\Windows\Dell).
• Firewall rule name referenced by the module: “Banned brute IPs” (and unusual netsh/auditpol changes enabling logon failure auditing).
• Outbound traffic anomalies: unexpected HTTP beaconing from a server that normally shouldn’t, and any TOR-related egress patterns (or binaries posing as legitimate Windows components but behaving like proxies).

What I’d do with this post in a MalwareTips context

• Treat the IPs/hashes as starting points only (IOCs decay fast), but the behavioral anchors here are strong: the UPlugPlay service + Defender exclusions + odd C:\Windows\Dell staging are the bigger “tells.”
• If someone suspects exposure, the safest next step is to collect service listings, Defender exclusion configs, and relevant Security/Event logs, then scan with a reputable EDR/AV and isolate the host if anything matches.

Sources

• Tenant from Hell: Prometei's Unauthorized Stay in Your Windows Server
• Prometei botnet and its quest for Monero
• Resurgence of the Prometei Botnet

 

[ForgottenSeer 123960]

Technical Analysis & Remediation

Campaign Profile

Threat Actor
Prometei Botnet

Vector
Suspected RDP Credential Compromise (Brute Force/Default Creds).

Infrastructure
Payload delivery via 103.91.90[.]182 (AS17426).

Attack Chain & Evidence

Anti-Analysis Anchor
The attacker manually writes a 4-byte XOR key file to disk using cmd[.]exe.

Path
C:\Windows\mshlpda32.dll

Content
Hex 12 0D 0A.

Behavior
If this file is missing (e.g., in a sandbox), the malware executes decoy actions and terminates.

Payload Execution
PowerShell downloads the encrypted payload, decodes it (Base64 + rolling XOR), and executes it.

Payload
C:\windows\zsvc.exe.

Service Name
Often registered as zsvc or sqhost.

MITRE ATT&CK Mapping

T1133 (External Remote Services)
RDP initial access.

T1480 (Execution Guardrails)
Checks for mshlpda32.dll key file.

T1543.003 (Create or Modify System Process: Windows Service) Persistence via zsvc service.

T1021.002 (Remote Services SMB/Windows Admin Shares) Lateral movement capabilities.

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Network Isolation
Immediately isolate the affected server (VLAN quarantine). Block egress to 103.91.90[.]182 and TOR exit nodes.

Process Termination
Kill the process zsvc.exe and any unknown PowerShell instances spawned from services.exe.

Hunt for IOCs

C:\Windows\mshlpda32.dll (The "Tenant" anchor).

C:\Windows\zsvc.exe (The Payload).

Service
zsvc or sqhost.

Phase 2 Eradication

Service Removal

Powershell

sc.exe stop zsvc
sc.exe delete zsvc
sc.exe stop sqhost
sc.exe delete sqhost

File Deletion
Remove the identified artifacts (zsvc.exe, mshlpda32.dll). Do not delete mshlpda32.dll until forensic preservation is complete, as it proves the specific "keyed" attack occurred.

Credential Reset
Force reset of the compromised account (likely Administrator or a service account with RDP access) and all Domain Admin credentials if lateral movement is suspected.

Phase 3: Recovery

Patching
Ensure MS17-010 (EternalBlue) and CVE-2019-0708 (BlueKeep) patches are applied, as Prometei historically exploits these for lateral spread.

Access Control
Place RDP behind a VPN or RD Gateway with MFA enforced. Never expose RDP (Port 3389) directly to the internet.

Phase 4: Lessons Learned

Detection Tuning
Create SIEM rules for file writes to C:\Windows\*.dll by cmd[.]exe or powershell[.]exe.

Attack Surface Reduction
Audit all external-facing remote access services.

Remediation - THE HOME USER TRACK

Priority 1: Safety & Disconnection

Disconnect
Unplug the ethernet cable or disable Wi-Fi immediately.

Scanning
Use Microsoft Defender Offline Scan (requires reboot) to detect and remove the crypto-miner components.

Priority 2: Identity Security

If you run a home server with RDP open: Close Port 3389 on your router immediately.

Change your Windows login password from a different, clean device.

Priority 3: Persistence Removal

Check Task Manager for high CPU usage (crypto-miners often use 100% CPU).

Look for zsvc.exe in C:\Windows\. If found, booting into Safe Mode is recommended for deletion.

Hardening & References

Baseline
CIS Benchmark for Windows Server 2022/2025 (Section 2.3.7: Interactive Logon).

Reference

eSentire Threat Response Unit

Tactical
(Visualizing the RDP -> Key File -> Payload flow).