17 Windows modules dropped alongside the Linux ELF in the same Prometei drop, including a Mimikatz variant frozen since 2023, a Tor stack masquerading as MSDTC and Smart Card services, and a Linux ELF that pivots back to Windows via WinRM (5985), Redis SLAVEOF (16379), and SMBv1-era dialects. One cross-platform toolkit, walker.ini glue, server-side fingerprint of the C2.

A fresh Prometei v3/v4 ELF on a Linux honeypot, beaconing to the same C2 IP, Tor onion, and UPlugPlay disguise convention eSentire flagged on the Windows side three months earlier. The JSON-trailer schema yields a parent-peer back-pointer per bot. Postscript: four parallel binary-churn cadences in the same toolkit, including bit-identical zsvc unpacked code across drops.