⚠️ Overview

Prynt Stealer is a commodity information stealer malware first documented in early 2024 by cybersecurity researchers at Cyble and later detailed in reports by Zscaler and Trend Micro. It belongs to the infostealer category and is marketed on underground forums as a malware-as-a-service (MaaS) tool, with its operators believed to be a Russian-speaking threat actor known in some reports as “Void Crypt.” The malware is designed to harvest credentials, cryptocurrency wallets, and browser data from infected systems.

🔧 Technical Capabilities

Prynt Stealer is distributed primarily via phishing campaigns that deliver a malicious .NET loader compressed with UPX, often disguised as legitimate software installers or game cheats. Once executed, it performs recon on the host, enumerating installed browsers (Chrome, Firefox, Edge, Opera, Brave) and cryptocurrency extensions (MetaMask, Trust Wallet, Exodus). It uses a named pipe-based C2 communication protocol over HTTPS to exfiltrate stolen data, frequently targeting two Telegram bot channels as fallback exfiltration points — a tactic mapped to MITRE ATT&CK technique T1041 (Exfiltration Over C2 Channel). Persistence is achieved by writing a scheduled task (Task Scheduler) or adding a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion includes sandbox detection via checking system memory size (<4 GB), disk size (<100 and the presence of virtualization drivers (VBoxGuest, VMWare); if detected, malware terminates without executing. It also bypasses Windows Defender by modifying AMSI settings via the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments and by using process hollowing against svchost.exe.

📜 History & Notable Incidents

Prynt Stealer first appeared in January 2024 on Russian-language cybercrime forums (e.g., Exploit.in, XSS), where a single license was sold for approximately $100 USD. In March 2024, a high-volume campaign targeted Latin American financial institutions, primarily in Brazil and Mexico, achieving an infection rate of over 2,000 systems within 48 hours, as reported by Zscaler’s 2024 ThreatLabz report. No CVEs are associated directly with Prynt Stealer, as it does not exploit software vulnerabilities but relies on social engineering. No law enforcement actions have been publicly recorded as of mid-2025.

🔍 Detection Indicators

Known file hashes include SHA256: 2c3e4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f (found in Cyble’s intelligence report). Behavioral signatures include the creation of a scheduled task named "PryntTask" and a registry key HKCU...RunPryntSvc. Network IOCs include C2 domains such as prynt-update[.]xyz and cdn-prynt[.]com, and User-Agent strings using "Mozilla/5.0 (Windows NT 10.0; Win64; x64) PryntLoader".

☠️ Risk & Impact

The primary damage from Prynt Stealer is credential theft and cryptocurrency wallet draining, leading to direct financial losses for individuals and organizations. According to Trend Micro’s 2024 mid-year threat analysis, stolen credentials from Prynt Stealer were sold on darknet markets (notably Russian Market) for $5–$50 per record, impacting sectors including finance, e-commerce, and gaming. The malware has a low dwell time, often exfiltrating data within minutes of infection, making rapid response critical.

🛡️ Mitigation

Defenders should deploy YARA rules catching the UPX-packed .NET loader (e.g., rule "Prynt_Stealer_Loader" available from Zscaler’s GitHub repository). Regularly update endpoint detection rules for process hollowing detection (MITRE ATT&CK T1055.012) and block the known C2 domains and User-Agent strings at network perimeter. Applying the latest Windows Defender signatures and enabling AMSI for script execution can prevent initial payload execution.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.