Prinz Eugen ransomware: a deep dive into a new Go-based encryptor
Prinz Eugen is a newly discovered Go-based ransomware family first observed in April 2026, attributed to an actor known as ROOTBOY. The encryptor employs sophisticated techniques including ChaCha20-Poly1305 encryption, prioritizes recently modified files to maximize pressure on victims, and implements anti-forensic measures such as memory scrubbing and self-deletion. Unlike typical ransomware, it leaves no ransom note on disk, conducting all extortion communications out-of-band through leak sites and direct contact. The threat actor gains initial access through compromised RDP credentials, uses legitimate RMM tools like RemotePC for persistence, and creates backdoor admin accounts. Victims span multiple countries and sectors, with notable incidents including Standard Bank Group in South Africa and Transitions Pro Centre Val de Loire in France.
AI Analysis
Technical Summary
Prinz Eugen ransomware is a Go-based encryptor attributed to the ROOTBOY actor, first observed in April 2026. It encrypts files using ChaCha20-Poly1305, prioritizing recently modified files to maximize impact. The malware incorporates anti-forensic measures such as memory scrubbing and self-deletion to hinder analysis. Unlike typical ransomware, it does not drop ransom notes on infected systems; extortion communications occur out-of-band via leak sites and direct contact. Initial compromise is achieved through stolen RDP credentials, followed by the use of legitimate RemotePC remote monitoring and management tools for persistence and the creation of backdoor administrator accounts. The ransomware has affected multiple countries and sectors, including high-profile victims such as Standard Bank Group in South Africa and Transitions Pro Centre Val de Loire in France. Indicators of compromise include specific domains, IP addresses, hashes, and email addresses linked to the campaign. No known exploits or patches exist as this is malware rather than a software vulnerability.
Potential Impact
The ransomware encrypts victim files using strong ChaCha20-Poly1305 encryption, potentially causing significant data loss and operational disruption. Its focus on recently modified files increases the likelihood of encrypting critical and active data. The use of anti-forensic techniques complicates incident response and forensic investigations. The absence of ransom notes on disk and reliance on out-of-band communication may delay victim awareness and response. Persistence via legitimate RMM tools and backdoor accounts increases the difficulty of detection and eradication. The threat has impacted organizations across multiple countries and sectors, indicating a broad operational scope.
Mitigation Recommendations
No official patches or fixes exist as this is malware rather than a software vulnerability. Mitigation should focus on preventing initial access by securing RDP credentials through strong authentication, limiting RDP exposure, and monitoring for unauthorized access. Organizations should audit and restrict the use of RemotePC and other RMM tools, ensuring they are only used legitimately. Incident response should include searching for indicators of compromise such as known domains, IPs, hashes, and email addresses associated with Prinz Eugen. Given the anti-forensic capabilities of the malware, rapid containment and forensic analysis are critical. Regular backups and tested recovery plans remain essential to mitigate ransomware impact.
Affected Countries
South Africa, France, United States, Canada
Indicators of Compromise
- domain: 6cudc5cqa2bjpwdhcwm2lj6dbqejjjqzeo6ipwvmbazr6cgu7vfk3dad.onion
- domain: stndrdbnk.cc
- ip: 212.80.7.74
- domain: prinzfkbjiazbrur4mjje6mntjc4vydx3iatkkzycufoylqcoo4y7pqd.onion
- hash: 686213cc11d36af764de824801bced9366dfca3823fe0d51b752f74149bcf1f4
- bitcoinaddress: bc1q2ztpcvqdaptej6uu2ywt9mrlatx6envu34rf0v
- url: https://212.80.7.74/serverscan.ps1
- url: https://212.80.7.74/stager/mini
- url: https://212.80.7.74/stager/ps1
- domain: captchafestung.sbs
- domain: darkempire.fun
- domain: g-captchafestung.sbs
- domain: old-pidop.ru
- email: [email protected]
- email: [email protected]
- domain: festung-e.duckdns.org
- hash: 17dd3f59f13f54a34761cef0c2b73cd7
- hash: 9d94e2a15b75e1ef4487429ac71fc13e186c4a2d
Prinz Eugen ransomware: a deep dive into a new Go-based encryptor
Description
Prinz Eugen is a newly discovered Go-based ransomware family first observed in April 2026, attributed to an actor known as ROOTBOY. The encryptor employs sophisticated techniques including ChaCha20-Poly1305 encryption, prioritizes recently modified files to maximize pressure on victims, and implements anti-forensic measures such as memory scrubbing and self-deletion. Unlike typical ransomware, it leaves no ransom note on disk, conducting all extortion communications out-of-band through leak sites and direct contact. The threat actor gains initial access through compromised RDP credentials, uses legitimate RMM tools like RemotePC for persistence, and creates backdoor admin accounts. Victims span multiple countries and sectors, with notable incidents including Standard Bank Group in South Africa and Transitions Pro Centre Val de Loire in France.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Prinz Eugen ransomware is a Go-based encryptor attributed to the ROOTBOY actor, first observed in April 2026. It encrypts files using ChaCha20-Poly1305, prioritizing recently modified files to maximize impact. The malware incorporates anti-forensic measures such as memory scrubbing and self-deletion to hinder analysis. Unlike typical ransomware, it does not drop ransom notes on infected systems; extortion communications occur out-of-band via leak sites and direct contact. Initial compromise is achieved through stolen RDP credentials, followed by the use of legitimate RemotePC remote monitoring and management tools for persistence and the creation of backdoor administrator accounts. The ransomware has affected multiple countries and sectors, including high-profile victims such as Standard Bank Group in South Africa and Transitions Pro Centre Val de Loire in France. Indicators of compromise include specific domains, IP addresses, hashes, and email addresses linked to the campaign. No known exploits or patches exist as this is malware rather than a software vulnerability.
Potential Impact
The ransomware encrypts victim files using strong ChaCha20-Poly1305 encryption, potentially causing significant data loss and operational disruption. Its focus on recently modified files increases the likelihood of encrypting critical and active data. The use of anti-forensic techniques complicates incident response and forensic investigations. The absence of ransom notes on disk and reliance on out-of-band communication may delay victim awareness and response. Persistence via legitimate RMM tools and backdoor accounts increases the difficulty of detection and eradication. The threat has impacted organizations across multiple countries and sectors, indicating a broad operational scope.
Mitigation Recommendations
No official patches or fixes exist as this is malware rather than a software vulnerability. Mitigation should focus on preventing initial access by securing RDP credentials through strong authentication, limiting RDP exposure, and monitoring for unauthorized access. Organizations should audit and restrict the use of RemotePC and other RMM tools, ensuring they are only used legitimately. Incident response should include searching for indicators of compromise such as known domains, IPs, hashes, and email addresses associated with Prinz Eugen. Given the anti-forensic capabilities of the malware, rapid containment and forensic analysis are critical. Regular backups and tested recovery plans remain essential to mitigate ransomware impact.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.threatdown.com/blog/prinz-eugen-ransomware-a-deep-dive-into-a-new-go-based-encryptor/"]
- Adversary
- ROOTBOY
- Pulse Id
- 6a3d416ff54ce39010db1033
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domain6cudc5cqa2bjpwdhcwm2lj6dbqejjjqzeo6ipwvmbazr6cgu7vfk3dad.onion | — | |
domainstndrdbnk.cc | — | |
domainprinzfkbjiazbrur4mjje6mntjc4vydx3iatkkzycufoylqcoo4y7pqd.onion | — | |
domaincaptchafestung.sbs | — | |
domaindarkempire.fun | — | |
domaing-captchafestung.sbs | — | |
domainold-pidop.ru | — | |
domainfestung-e.duckdns.org | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip212.80.7.74 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash686213cc11d36af764de824801bced9366dfca3823fe0d51b752f74149bcf1f4 | — | |
hash17dd3f59f13f54a34761cef0c2b73cd7 | — | |
hash9d94e2a15b75e1ef4487429ac71fc13e186c4a2d | — |
Bitcoinaddress
| Value | Description | Copy |
|---|---|---|
bitcoinaddressbc1q2ztpcvqdaptej6uu2ywt9mrlatx6envu34rf0v | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://212.80.7.74/serverscan.ps1 | — | |
urlhttps://212.80.7.74/stager/mini | — | |
urlhttps://212.80.7.74/stager/ps1 | — |
| Value | Description | Copy |
|---|---|---|
email[email protected] | — | |
email[email protected] | — |
Threat ID: 6a3d46404853345fc11c397b
Added to database: 06/25/2026, 15:16:16 UTC
Last enriched: 06/25/2026, 15:31:08 UTC
Last updated: 06/26/2026, 01:16:55 UTC
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.