Prynt Stealer is a recently identified information-stealing malware campaign observed in the wild, primarily designed to perform clipper and keylogger activities. This malware targets user credentials and sensitive information by capturing keystrokes and manipulating clipboard data to intercept cryptocurrency wallet addresses or other copied sensitive data. The stealer leverages multiple MITRE ATT&CK techniques, including user execution (T1204), system and process discovery (T1497.001, T1057), account discovery (T1087), software discovery (T1518), and system service and location discovery (T1007, T1614). It also performs credential theft from password stores (T1555), steals web session cookies (T1539), and application access tokens (T1528), indicating a broad scope of data exfiltration. The malware captures screen content (T1113) and exfiltrates data over command and control (C2) channels and web services (T1041, T1567). Prynt Stealer’s infection vector relies on user execution, meaning it requires victims to run malicious files or scripts, often delivered via phishing or social engineering. Although no known exploits are currently reported in the wild, the malware’s capabilities to harvest credentials, session tokens, and clipboard data pose significant risks to confidentiality and integrity of user data. The campaign’s perpetual lifetime and moderate certainty level (50%) suggest ongoing monitoring is necessary. The absence of affected versions implies it targets general Windows environments rather than specific software vulnerabilities.

For European organizations, Prynt Stealer presents a high risk primarily to confidentiality and integrity of sensitive information. By capturing credentials, session cookies, and access tokens, attackers can gain unauthorized access to corporate networks, cloud services, and financial accounts. The clipper functionality specifically threatens cryptocurrency transactions, which could impact financial institutions and companies dealing with digital assets. The keylogger and screen capture capabilities increase the risk of intellectual property theft and exposure of sensitive communications. The malware’s reliance on user execution means that organizations with less mature security awareness programs are more vulnerable. Given the malware’s ability to exfiltrate data stealthily over C2 channels and web services, detection may be challenging, potentially allowing prolonged unauthorized access. The impact extends to sectors with high-value data such as finance, technology, and government agencies. Additionally, the malware’s capability to perform system and location discovery could facilitate targeted attacks against strategic assets within European organizations.

1. Implement advanced endpoint detection and response (EDR) solutions capable of detecting keylogging and clipboard manipulation behaviors. 2. Enforce strict application whitelisting to prevent execution of unauthorized binaries and scripts. 3. Conduct targeted phishing awareness training emphasizing the risks of executing unknown attachments or links. 4. Deploy multi-factor authentication (MFA) across all critical systems to reduce the impact of credential theft. 5. Monitor network traffic for unusual outbound connections indicative of C2 communication or data exfiltration, focusing on uncommon web service endpoints. 6. Regularly audit and restrict access to password stores and sensitive tokens, employing credential vaulting solutions where possible. 7. Utilize behavioral analytics to detect anomalous process and system discovery activities. 8. Maintain up-to-date threat intelligence feeds to identify emerging indicators of compromise related to Prynt Stealer. 9. Segment networks to limit lateral movement if initial compromise occurs. 10. Encourage use of hardware wallets or secure methods for cryptocurrency transactions to mitigate clipper attacks.