Security Affairs
U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|U.S. CISA adds iCagenda and Balbooa Forms flaws to its Known Exploited Vulnerabilities catalog|Critical U-Boot Bugs Undermine Secure Boot on Millions of Devices|Update Now: Critical Zimbra Classic Web Client Flaw Could Expose Mailboxes|Ransomware Never Stopped: Over 9,000 Confirmed Attacks Since 2018|222 GitHub Repositories Linked to Fake Go Package Malware Operation|Former Ransomware Negotiator Sentenced to 70 Months in Prison for Secretly Helping BlackCat Gang|GigaWiper Merges Three Malware Families Into One Destructive Backdoor|INTERPOL Operation First Light Nets 5,811 Arrests and Seizes $293 Million|GodDamn Ransomware Uses PoisonX to Blind Security Software|AssuranceAmerica Breach Exposes 7 Million Driver’s Licenses After Employee Account Hack|Microsoft fixed Defender flaw RoguePlanet (CVE-2026-50656)|Fake VPN and 7-Zip Apps Turn Victims Into Residential Proxy Nodes|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

The Prynt Stealer malware contains a secret backdoor. Crooks steal data from other cybercriminals

The information-stealing malware Prynt Stealer contains a backdoor that allows stealing the data it has infiltrated from victims. Zscaler researchers discovered Telegram channel-based backdoor in the information stealing malware, Prynt Stealer, which allows to secretly steal a copy of the data exfiltrated from the victims. “Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also […]

Prynt Stealer

The information-stealing malware Prynt Stealer contains a backdoor that allows stealing the data it has infiltrated from victims.

Zscaler researchers discovered Telegram channel-based backdoor in the information stealing malware, Prynt Stealer, which allows to secretly steal a copy of the data exfiltrated from the victims.

“Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also attributed with WorldWind, and DarkEye, has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.” reads the analysis published by Zscaler. “The backdoor sends copies of victims’ exfiltrated data gathered by other threat actors to a private Telegram chat monitored by the builder’s developers.”

This ugly surprise is not a novelty in the cybercrime landscape, in the past other malware was spotted to contain a secret backdoor.

Prynt Stealer is an information stealer that was first discovered in April, it allows its operators to harvest credentials from web browsers, VPN/FTP clients, as well as messaging and gaming applications.

The malware is based on open source projects, including AsyncRAT and StormKitty, and it exfiltrates data stolen from victims through a Telegram channel.

Prynt Stealer is available for sale in the underground market for $100 for a one-month license and $900 for a lifetime subscription.

Prynt Stealer

Prynt Stealer borrows the code responsible for sending information to Telegram from StormKitty with a few minor changes.

The experts pointed out that the info stealer does not use the anti-analysis code from either AsyncRAT or StormKitty. It creates a thread that invokes the function named processChecker to continuously monitor the victim’s process list for processes such as taskmgr, netmon, netstat, and wireshark. In case one of the monitored processes is detected, it blocks the Telegram command-and-control communication channels.

“The fact that all Prynt Stealer samples encountered by ThreatLabz had the same embedded telegram channel implies that this backdoor channel was deliberately planted by the author. Interestingly, the Prynt Stealer author is not only charging some clients for the malware, but also receiving all of the data that is stolen.” continues the analysis. “Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor, which in turn will benefit the malware author even without direct compensation.”

The researchers also spotted cracked/leaked copies of Prynt Stealer that were containing the same backdoor, this means that the malware author was able to obtain stolen data also from these copies.

Researchers discovered at least two more variants of the info-stealing malware dubbed WorldWind and DarkEye that were written by the same author. The experts noticed that DarkEye is not sold or mentioned publicly, however, it is bundled as a backdoor with a “free” Prynt Stealer builder. 

The builder is backdoored with DarkEye Stealer and Loda RAT.

“The free availability of source code for numerous malware families has made development easier than ever for less sophisticated threat actors. As a result, there have been many new malware families created over the years that are based on popular open source malware projects like NjRat, AsyncRAT and QuasarRAT. The Prynt Stealer author went a step further and added a backdoor to steal from their customers by hardcoding a Telegram token and chat ID into the malware.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]