Dev backdoors own malware to steal data from other hackers


Cybercriminals using Prynt Stealer to collect data from victims are being swindled by the malware developer, who also receives a copy of the info over Telegram messaging service.

The malware developer has planted in the builder for the infostealer a backdoor that is present in every resulting copy that is being rented to cybercriminals for prices between $100 per month or $700 per year to $900 for a lifetime subscription.

Prynt Stealer can steal cryptocurrency wallet information, sensitive info stored in web browsers (credentials credit cards), VPN account data, cloud gaming account details.

Cyble analyzed Prynt Stealer back in April 2022 and highlighted that it included inactive code for a clipper and keylogger, both being unusual functions for an infostealer.

The data that Prynt Stealer grabs is typically compressed and exfiltrated through a Telegram bot to a channel controlled by the cybercriminal.

However, according to a report from cloud security company Zscaler, the malware comes with an additional, hardcoded Telegram token and ID to send stolen data to the author behind the operator’s back.

Built for scamming

Prynt Stealer is based on the code of the AsyncRAT remote access tool and the StormKitty infostealer. The developer made some minor modifications to some of the features and removed others.

Zscaler’s researchers also note that Prynt Stealer is very similar to the malware families WorldWind and DarkEye, suggesting that the same author is behind them.

Prynt Stealer’s builder is meant to help unskilled cybercriminals configure the malware for deployment, setting all parameters and letting the automated tool do the work.

Prynt Stealer's GUI builderPrynt Stealer’s GUI builder (Zscaler)

Zscaler’s analysts acquired a leaked copy of the builder and found that during execution, a loader fetches ‘DarkEye Stealer’ from Discord and configures it to exfiltrate data to the author.

DarkEye is a variant of Prynt Stealer, the difference between them being that the clipper and keylogger functionality is enabled in the former and disabled in the latter.

DarkEye Telegram token and ID, and active keylogger codeDarkEye Telegram token and ID, and active keylogger code (Zscaler)

In addition, the malware author configures the builder to drop and execute LodaRAT, an old (2017) yet powerful trojan, that enables remote actors to take control of the infected system, steal information, fetch additional payloads, etc.

Prynt Stealer's builder infection diagramPrynt Stealer’s builder infection diagram (Zscaler)

Now that the backdoor in Prynt Stealer has been exposed, the cybercriminals using it are likely to look elsewhere. It looks like the Prynt Stealer author already has two products waiting, since they are not currently actively promoted hacking forums.


  • mds75 Photo mds75 – 4 days ago

    That’s hilarious!
    No honor among thieves.

  • horsedoggs Photo horsedoggs – 4 days ago

    It’s dog eat dog out there. What a life just get a normal job.

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.12 4M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 21,226 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 51,172 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 302,617 Downloads


Related posts

Netgear warns users to patch recently fixed WiFi router bug

Sarah Henriquez

US, UK warn of govt hackers using custom malware on Cisco routers

Sarah Henriquez

Microsoft: Exchange servers hacked via OAuth apps for phishing

Sarah Henriquez

Leave a Comment