Prometei is a cross-platform (Windows, Linux), modular Monero-mining botnet that seems to have flown under the radar for years. Cybereason incident responders have witnessed instances of the botnet enslaving endpoints of companies across the globe, in a variety of industries. The malware is specifically interested in the file ‘ExpiredPasswords.aspx’, which was reported to be the name used to obscure the HyperShell backdoor used by APT34 (aka. OilRig) If the file exists, the malware immediately deletes it, and uses a module that masquerades as a legitimate Microsoft endpoint security program.
Source: https://www.helpnetsecurity.com/2021/04/22/botnet-exchange-vulnerabilities/