A connection is suspected between Prometheus traffic direction system (TDS) and a cracked copy of Cobalt Strike. Both are offered as tools to orchestrate post-exploitation actions to multiple threat actors.

What has happened?

Researchers from BlackBerry have discovered overlaps between an illegitimate version of Cobalt Strike and Prometheus TDS-related activity, which may be proliferated by operators of Prometheus.
  • Experts surmised that maybe someone connected with the Prometheus TDS is managing the cracked version of Cobalt Strike and offering it upon purchase. Alternatively, it may be provided as part of a standard playbook or a VM installation.
  • Prometheus TDS is being promoted as a service for large-scale phishing redirection to rogue landing pages that were created to spread malware payloads.
  • The price of the malware service is $250 a month, as per the latest offering on Russian underground forums.

Prometheus powers

The main features of Prometheus include a web of malicious infrastructure, PHP backdoors, malicious email distribution, illicit file-hosting using genuine services, traffic redirection, and delivery of malicious files.

Who all have benefited from using it?

  • In the last two years, multiple threat actors and ransomware groups such as FIN7, FickerStealer, Qakbot, DarkCrystal RAT, IceID, BlackMatter, Ryuk, Cerber, and REvil have used the cracked version of Cobalt Strike.
  • Moreover, the same Cobalt Strike Beacon was observed in activities associated with an initial access broker Zebra2104. The broker services are used by MountLocker, Phobos, and StrongPity.


The combo offering of Prometheus TDS along with the cracked Cobalt Strike tool is a serious concern for security agencies. The service is already being used by multiple threat actors, which further indicates its high demand. Moreover, it further strengthens the fact that cybercriminals are quickly adapting the enterprise-like professionalism with such malicious services.
Cyware Publisher