A UK construction firm's compromised Windows Server highlighted how a long-running Russian-linked botnet still exploits basic security lapses.
HackRead reports that a UK construction firm's compromised Windows Server in January 2026 highlighted how a long-running Russian-linked botnet still exploits basic security lapses.
Security analysts from eSentire's Threat Response Unit identified the intruder as Prometei, a botnet active since 2016 that mainly mines Monero but can also steal credentials and remotely control systems.
Findings shared with Hackread.com suggest the attackers likely entered through Remote Desktop Protocol by guessing weak or default passwords rather than using advanced exploits.
Once inside, Prometei installed multiple components to ensure persistence, including the UPlugPlay service and executables designed to reload at startup. Researchers found the malware downloaded an encrypted core payload, collected system data, and used a modified Mimikatz tool to harvest network passwords while routing traffic through TOR.
Prometei also used sandbox-evasion techniques and blocked rival hackers to maintain exclusive access. eSentire advised replacing default credentials, enabling multi-factor authentication, updating software, and using its newly released analysis tools.
Sharon Florentine is the editorial director for CyberRisk Alliance’s Channel Brands and acting editorial director for SC UK. She is responsible for setting strategy and editorial direction and developing content for news, features, analysis and other written content, moderates live webcasts, and oversees research projects. Sharon has previously held key editorial, content and leadership positions at DevOps.com, Security Boulevard, CIO.com, Ziff Davis Enterprise, and CRN, among others.
Sharon Florentine is the editorial director for CyberRisk Alliance’s Channel Brands and acting editorial director for SC UK. She is responsible for setting strategy and editorial direction and developing content for news, features, analysis and other written content, moderates live webcasts, and oversees research projects. Sharon has previously held key editorial, content and leadership positions at DevOps.com, Security Boulevard, CIO.com, Ziff Davis Enterprise, and CRN, among others.
An error occurred trying to play the stream. Please reload the page and try again.
CloseRegistering with SC Media is 100% free. Join tens of thousands of cybersecurity leaders today and gain access to the latest analysis shaping the global infosec agenda.
