UK Construction Firm Hit by Prometei Botnet Hiding in Windows Server

The discovery of the Prometei botnet inside a UK construction firm’s Windows Server underscores how legacy IT practices can expose critical infrastructure to sophisticated cyber threats. The intrusion, traced to January 2026, leveraged weak or default Remote Desktop Protocol credentials—a common entry point for threat actors targeting organizations that rely on remote access for project coordination. While the botnet’s primary payload mines Monero, its secondary functions include extensive password harvesting, turning a seemingly innocuous construction environment into a foothold for broader network compromise.

Prometei operates as a modular toolkit rather than a single executable. Upon successful login, it drops a service named UPlugPlay and a startup file, sqhost.exe, ensuring persistence across reboots. The core payload, zsvc.exe, is delivered encrypted from a server linked to Primesoftex Ltd., then decrypted on the host. Integrated Mimikatz (identified as miWalk) extracts cached credentials, while all command‑and‑control traffic is tunneled through the TOR network to evade detection. A clever sandbox‑bypass checks for the presence of mshlpda32.dll, executing decoy tasks if the file is absent to mislead analysts.

Mitigating threats like Prometei requires a layered security approach. Organizations should replace default passwords with complex, unique credentials and enforce multi‑factor authentication for all remote logins. Regular patching of Windows Server components, coupled with network segmentation, limits lateral movement once a breach occurs. eSentire’s release of unpacking utilities provides the security community with valuable intelligence, fostering collaborative defense. As ransomware and cryptojacking groups continue to weaponize legitimate administration tools, continuous monitoring and threat‑intel sharing become essential to protect high‑value sectors such as construction.