Prometheus Traffic Distribution System (TDS) - a new cybercrime service has been discovered that is helping other malware gangs to spread their malicious payloads. It is a new type of crime model that has gradually evolved since its first appearance in August 2020.

What happened?

Researchers from Group-IB discovered various campaigns in which malware samples were being spread via compromised web servers using the services of Prometheus TDS.
  • Subscribers of this service can select the type of users they want to target based on geographical location, browser, or OS version, and then provide a list of compromised web servers.
  • At present, the malware spreading platform is distributing some of the most dangerous malware strains that are known today, such as Campo Loader, QBot, IcedID, Buer Loader, and SocGholish.

How does it work?

The concept behind Prometheus TDS is that malware gangs can rent this platform on a time-based subscription.
  • Prometheus TDS is used to scan the list of hacked websites to deliver its own backdoor to the compromised servers.
  • Once this is done, Prometheus subscribers can move on to sending spam emails. This email body text has malicious links to the hacked websites that eventually deliver the desired malware.
  • If a user clicks on the links in the email, the Prometheus backdoor examines the victim’s browser information and redirects the unsuspecting user to a safe web page or to one that is hosting malware.

About Prometheus

Prometheus was first spotted by Group-IB, wherein it is being promoted on underground cybercrime forums at the price tag of $30 for 2 days of access to the platform, or $250 for month-long access.


Prometheus TDS shows the evolving situation of the cyberattack landscape where malware creators are working as a team. It makes services like this accessible to any novice hacker and motivates them further for bigger crimes. All in all, such trends are expected to further deepen the trouble for security warriors across organizations.

Cyware Publisher