Unit 42 researchers identified a new wave of Prometei botnet attacks in March 2025. The malware, which includes Linux and Windows variants, allows remote control of compromised systems for cryptocurrency mining and credential theft. Prometei is actively developed, incorporating new modules and methods, including a backdoor for various malicious activities. It uses a domain generation algorithm for C2 infrastructure and self-updating features for evasion. The article analyzes versions three and four of the Linux variant, highlighting differences from version two. Prometei's modular architecture makes it highly adaptable, with components for brute-forcing credentials, exploiting vulnerabilities, mining cryptocurrency, stealing data, and C2 communication. The botnet's primary goal is Monero mining, but it also has secondary capabilities like credential theft and deploying additional malware payloads.