Skip to main content
Mallory
Back to malware
MalwareRansomwareUsed by 1 actor

Prinz Eugen

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
rootboy

On May 11, 2026, our research team investigated a customer infected with a brand-new ransomware family called Prinz Eugen.

via threatdownthreatdown.com
MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1078.004Cloud AccountsEvidence1

We suspect the actor gained a foothold through compromised RDP credentials.

Execution

1 technique
T1059.001PowerShellEvidence1

we also observed the actor leveraging the RemotePC RMM tool to launch PowerShell stagers and deploy additional payloads.

Persistence

3 techniques
T1078.004Cloud AccountsEvidence1

We suspect the actor gained a foothold through compromised RDP credentials.

T1136Create AccountEvidence1

We observed the actor setting up an admin account as well: net user admin germania /add

T1136.001Local AccountEvidence1

We observed the actor setting up an admin account as well: net user admin germania /add

Privilege Escalation

1 technique
T1078.004Cloud AccountsEvidence1

We suspect the actor gained a foothold through compromised RDP credentials.

Stealth

4 techniques
T1070Indicator RemovalEvidence1

Prinz Eugen is a new Go-based ransomware family that encrypts files, prioritizes fresh data, and extorts victims out-of-band, leaving a deliberate, anti-forensic footprint.

T1070.004File DeletionEvidence1

Before exiting... it zeroes the hardcoded encryption key and runs the garbage collector... then deletes itself... cmd.exe /C ping 127.0.0.1 -n 2 > nul & del /F /Q C:\Users\<redacted>\Music\servertool.exe

T1078.004Cloud AccountsEvidence1

We suspect the actor gained a foothold through compromised RDP credentials.

T1218.003CMSTPEvidence1

The self-delete uses cmd.exe with a ping-delay trick, which gives the parent process time to exit fully before deletion runs: cmd.exe /C ping 127.0.0.1 -n 2 > nul & del /F /Q C:\Users\<redacted>\Music\servertool.exe

Lateral Movement

2 techniques
T1021.001Remote Desktop ProtocolEvidence1

We suspect the actor gained a foothold through compromised RDP credentials.

T1570Lateral Tool TransferEvidence1

Reporting on the Standard Bank intrusion adds further tradecraft: a hands-on dwell time of around three weeks before exfiltration, and lateral movement through enterprise applications including SharePoint, OneDrive, Power Apps, AppDynamics, Jira, Confluence, Citrix, Remedy, and Microsoft and Oracle SQL databases.

Collection

1 technique
T1074Data StagedEvidence1

The available reporting and incident data point to a simple pressure model: steal the data, encrypt the environment, then use the leak site and direct contact channels to force a decision.

Command and Control

2 techniques
T1105Ingress Tool TransferEvidence1

Once inside, they downloaded the encryptor executable ( servertool.exe ) using Chrome and moved it into the user’s Music folder.

T1219Remote Access ToolsEvidence1

In the environment hit by this ransomware, we also observed the actor leveraging the RemotePC RMM tool to launch PowerShell stagers and deploy additional payloads.

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

we suspect this IP is acting as a C2, and the additional payloads are probably remote access trojans (RATs) used for infostealing and exfiltration.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence2

The encryptor performs a fully recursive walk with no depth limit... encrypt every file that does not already carry the .prinzeugen extension... It first creates and encrypts a temporary copy... then renames that temporary file to its final form, document.docx.prinzeugen.

INDICATORS OF COMPROMISE

IOCs tracked for this family

12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
6 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
5 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in apptoday
hash.sha256●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
email●●●●●●●●●●●●View more in apptoday
domain●●●●●●●●●●●●View more in apptoday
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
malware newsNews
Jun 18, 2026
Prinz Eugen ransomware: a deep dive into a new Go-based encryptor - Malware News - Malware Analysis, News and Indicators

A newly identified Go-based ransomware family that encrypts files, prioritizes recently modified data, uses out-of-band extortion, and attempts to minimize forensic artifacts.

Read more
threatdownNews
Jun 18, 2026
Prinz Eugen ransomware: a deep dive into a new Go-based encryptor - ThreatDown by Malwarebytes

A new Go-based ransomware encryptor that performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, appends the .prinzeugen extension, verifies decryptability before deleting originals when run with --delete, leaves no ransom note on disk, zeroes key material in memory, and self-deletes to reduce forensic recovery opportunities.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching12

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.