Privacy Ninja

Dev Backdoors Own Malware to Steal Data from other Hackers

Dev Backdoors Own Malware to Steal Data from other Hackers


Cybercriminals using Prynt Stealer to collect data from victims are being swindled by the malware developer, who also receives a copy of the info over Telegram messaging service.

The malware developer has planted in the builder for the infostealer a backdoor that is present in every resulting copy that is being rented to cybercriminals for prices between $100 per month or $700 per year to $900 for a lifetime subscription.

Prynt Stealer can steal cryptocurrency wallet information, sensitive info stored in web browsers (credentials credit cards), VPN account data, cloud gaming account details.

Cyble analyzed Prynt Stealer back in April 2022 and highlighted that it included inactive code for a clipper and keylogger, both being unusual functions for an infostealer.

Also Read: 5 Signs On How to Know if Ransomware is on Your Computer

The data that Prynt Stealer grabs is typically compressed and exfiltrated through a Telegram bot to a channel controlled by the cybercriminal.

However, according to a report from cloud security company Zscaler, the malware comes with an additional, hardcoded Telegram token and ID to send stolen data to the author behind the operator’s back.

Built for scamming

Prynt Stealer is based on the code of the AsyncRAT remote access tool and the StormKitty infostealer. The developer made some minor modifications to some of the features and removed others.

Zscaler’s researchers also note that Prynt Stealer is very similar to the malware families WorldWind and DarkEye, suggesting that the same author is behind them.

Prynt Stealer’s builder is meant to help unskilled cybercriminals configure the malware for deployment, setting all parameters and letting the automated tool do the work.

Prynt Stealer's GUI builder
Prynt Stealer’s GUI builder (Zscaler)

Zscaler’s analysts acquired a leaked copy of the builder and found that during execution, a loader fetches ‘DarkEye Stealer’ from Discord and configures it to exfiltrate data to the author.

DarkEye is a variant of Prynt Stealer, the difference between them being that the clipper and keylogger functionality is enabled in the former and disabled in the latter.

DarkEye Telegram token and ID, and active keylogger code
DarkEye Telegram token and ID, and active keylogger code (Zscaler)

In addition, the malware author configures the builder to drop and execute LodaRAT, an old (2017) yet powerful trojan, that enables remote actors to take control of the infected system, steal information, fetch additional payloads, etc.

Also Read: How COVID-19 Contact Tracing in Singapore Applies at Workplace

Prynt Stealer's builder infection diagram
Prynt Stealer’s builder infection diagram (Zscaler)

Now that the backdoor in Prynt Stealer has been exposed, the cybercriminals using it are likely to look elsewhere. It looks like the Prynt Stealer author already has two products waiting, since they are not currently actively promoted hacking forums.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us