{
	"id": "5cc9a811-9366-4113-95af-30fb6a99c848",
	"created_at": "2026-04-06T00:20:06.31678Z",
	"updated_at": "2026-04-10T03:21:05.395214Z",
	"deleted_at": null,
	"sha1_hash": "eb1fa9ffa4e5430eb2250bf2144a2013b5fb0128",
	"title": "Prynt Stealer’s Backdoor Exposed | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3639172,
	"plain_text": "Prynt Stealer’s Backdoor Exposed | Zscaler Blog\r\nBy Atinderpal Singh, Brett Stone-Gross\r\nPublished: 2022-09-01 · Archived: 2026-04-05 19:25:25 UTC\r\nStealing information is fundamental to cybercriminals today to scope and gain access to systems, profile\r\norganizations, and execute bigger payday schemes like ransomware. Information stealer malware families\r\nincluding Prynt Stealer are often configured through a builder to facilitate the process for less sophisticated threat\r\nactors. However, Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also attributed with\r\nWorldWind, and DarkEye, has a secret backdoor in the code that ends up in every derivative copy and variant of\r\nthese malware families. The backdoor sends copies of victims' exfiltrated data gathered by other threat actors to a\r\nprivate Telegram chat monitored by the builder’s developers. While this untrustworthy behavior is nothing new in\r\nthe world of cybercrime, the victims' data end up in the hands of multiple threat actors, increasing the risks of one\r\nor more large scale attacks to follow.\r\n \r\nKey Points\r\nPrynt Stealer is an information stealer that has the ability to capture credentials that are stored on a\r\ncompromised system including web browsers, VPN/FTP clients, as well as messaging and gaming\r\napplications\r\nThe Prynt Stealer developer based the malware code on open source projects including AsyncRAT\r\nand StormKitty\r\nPrynt Stealer uses Telegram to exfiltrate data that is stolen from victims\r\nThe Prynt Stealer malware author added a backdoor Telegram channel to collect the information\r\nstolen by other criminals\r\nThe informational stealer malware families known as DarkEye and WorldWind are near identical to\r\nPrynt Stealer\r\nPrynt Stealer is a relatively new information stealer malware family that is written in .NET. The malware has\r\npreviously been analyzed in-depth including the data harvesting capabilities and the targeted applications. Zscaler\r\nThreatLabz has since uncovered additional details about the malware including the codebase being derived from\r\nat least two other open source malware families: AsyncRAT and StormKitty. This blog will focus on these shared\r\ncodebases, the modifications introduced by the Prynt Stealer author (including a backdoor), and the very close\r\nrelationship with WorldWind and DarkEye.\r\nPrynt Stealer Origins\r\nPrynt Stealer is not just inspired from open source malware families, but shares code that appears to have been\r\ndirectly copy and pasted from these repositories. Many parts of the Prynt Stealer code that have been borrowed\r\nfrom other malware families are not used, but are still present in the binary as dead unreachable code. The Prynt\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 1 of 18\n\nStealer code is primarily derived from AsyncRAT (a versatile RAT) and StormKitty (an information stealer). The\r\nAsyncRAT code is used as the main module with a modified entry point that calls the StormKitty stealer method.\r\nPrynt Stealer executables are configured using a builder that has no options to modify the embedded AsyncRAT\r\ncomponents, which are pre-configured primarily just to run the StormKitty stealer module. Most of AsyncRAT’s\r\nfunctionality in Prynt Stealer is disabled and the command-and-control (C\u0026C) URLs are configured to 127.0.0.1.\r\nWhile the AsyncRAT’s network component of Prynt Stealer is disabled, the malware contains the following\r\nembedded certificate shown below:\r\n         \"issuer\": \"CN=WorldWind Stealer\",\r\n         \"subject\": \"CN=WorldWind Stealer\",\r\n         \"to_date\": \"9999-12-31T23:59:59\",\r\n         \"version\": \"v3\",\r\n         \"from_date\": \"2021-07-13T04:51:06\",\r\n         \"serial_number\": 852016614067188563094399707801818649\r\nNote that the common name for this certificate is WorldWind Stealer, which is also sold by the Prynt Stealer\r\nmalware author.\r\nAsyncRAT/StormKitty Code Comparison\r\nThe Prynt Stealer author added two new fields (highlighted in Figure 1) to the AsyncRAT configuration codebase\r\nfor data exfiltration via Telegram.\r\nFigure 1: Side-by-side comparison of a Prynt Stealer configuration (left) with an original AsyncRAT configuration\r\n(right)\r\nThe main code responsible for sending information to Telegram is copied from StormKitty with a few minor\r\nchanges in text as shown in Figure 2.\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 2 of 18\n\nFigure 2: Side-by-side comparison of Prynt Stealer’s UploadFile with StormKitty’s SendSystemInfo function\r\nThe main difference is the field names and order have changed, and a field related to detecting porn websites is\r\nmissing from Prynt.\r\nA Detailed look at Prynt Stealer Modifications\r\nAnti-Detection Techniques\r\nPrynt Stealer does not use the anti-analysis code from either AsyncRAT or StormKitty with one exception: the\r\nmalware creates a thread that invokes the function named processChecker (shown in Figure 3) in AsyncRAT’s\r\nstatic constructor. The thread execution is started at the end of the main function after stolen logs are sent.\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 3 of 18\n\nFigure 3: Prynt Stealer process checker thread's code\r\nPrynt Stealer uses this thread to continuously monitor the victim’s process list. If any of the following processes\r\nare detected, the malware will block the Telegram C\u0026C communication channels:\r\ntaskmgr\r\nprocesshacker\r\nnetstat\r\nnetmon\r\ntcpview\r\nwireshark\r\nfilemon\r\nregmon\r\ncain\r\nTelegram Command Thread\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 4 of 18\n\nPrynt Stealer creates a thread that will poll for a file to download using the Telegram getUpdates API as shown in\r\nFigure 4. Of note, this download command only saves the file on the target system and does not take any further\r\nactions that might be expected like executing a second-stage payload or updating the malware.\r\nFigure 4: Prynt Stealer Telegram download command\r\nCrowdsourcing Stolen Logs\r\nPrynt Stealer steals data from a wide array of applications, and the information is sent to a Telegram channel that\r\nis configured using the builder shown in Figure 5.\r\nFigure 5: Prynt Stealer builder\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 5 of 18\n\nThe Prynt Stealer logs are sent to the operator’s Telegram. However, there is a catch: a copy of the log files is also\r\nsent to a Telegram chat presumably embedded by the Prynt Stealer author as shown below in Figure 6. \r\nFigure 6: Prynt Stealer backdoor sending log files to two different Telegram chats\r\nThreatLabz has observed similar tactics employed by malware authors in the past as well, where the malware has\r\nbeen given away for free. This enables a malware author to benefit from unsuspecting cybercriminal clients who\r\nperform the heavy lifting of infecting victims. The fact that all Prynt Stealer samples encountered by ThreatLabz\r\nhad the same embedded telegram channel implies that this backdoor channel was deliberately planted by the\r\nauthor. Interestingly, the Prynt Stealer author is not only charging some clients for the malware, but also receiving\r\nall of the data that is stolen. Note that there are cracked/leaked copies of Prynt Stealer with the same backdoor,\r\nwhich in turn will benefit the malware author even without direct compensation.\r\nPrynt Stealer / WorldWind / DarkEye: Multiple Faces of the Same Malware\r\nThreatLabz has identified at least two more Prynt Stealer variants dubbed WorldWind and DarkEye that appear to\r\nbe written by the same author. All three strains are nearly identical with a few minor differences. Prynt Stealer is\r\nthe most popular brand name for selling the malware, while WorldWind payloads are the most commonly\r\nobserved in-the-wild. DarkEye is not sold or mentioned publicly, however, it is bundled as a backdoor with a\r\n“free” Prynt Stealer builder. Figure 7 shows a pie chart of the percentage of samples by name observed by\r\nThreatLabz over the last year.\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 6 of 18\n\nFigure 7: Distribution of Prynt Stealer, WorldWind and DarkEye payloads in-the-wild over the last year\r\nBoth Prynt and WorldWind have been sold by the same author on the following websites:\r\nMarket Website Malware name Status\r\nhttp://shop.prynt[.]market WorldWind Inactive\r\nhttp://market.prynt[.]market Prynt Stealer Inactive\r\nhttp://venoxxxx[.]xxx Prynt Stealer Active\r\nScreenshots of these websites (offline at the time of publication) are shown in Figure 8.\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 7 of 18\n\nFigure 8: market.prynt[.]market selling Prynt Stealer and shop.prynt[.]market selling WorldWind side-by-side\r\nVarious websites and criminal forums have offered cracked versions of Prynt Stealer and the code has been\r\nuploaded on GitHub for free under different names. Prynt (with the same Telegram backdoor) has also been\r\noffered for free on Telegram channels used by cybercriminals as shown in Figure 9. \r\nFigure 9: Prynt Stealer offered for free on a cybercriminal Telegram channel\r\nThe distributed builder is backdoored with DarkEye Stealer and Loda RAT. This may be a deliberate leak by the\r\nPrynt Stealer threat actor since they will benefit from the data stolen from victims. \r\nFeature/Code Comparison\r\nTable 1 shows a feature parity between Prynt, WorldWind and DarkEye. Overall, there are few very minor\r\ndifferences such as the text in the log report, code and settings placement. However, functionality-wise all three\r\nare almost identical.\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 8 of 18\n\nPrynt WorldWind DarkEye\r\nAsyncRAT\r\nPresent\r\n(Not\r\nUsed)\r\nPresent (Not\r\nUsed)\r\nUsed\r\nClipper\r\nPresent\r\n(Not\r\nUsed)\r\nPresent (Not\r\nUsed)\r\nUsed\r\nKeylogger\r\nPresent\r\n(Not\r\nUsed)\r\nPresent (Not\r\nUsed)\r\nUsed\r\nProcessChecker Anti-Analysis Used Not Present\r\nNot\r\nPresent\r\nStomKitty Stealing  Used Used Used\r\nHideConsoleWindow Used Not Present\r\nNot\r\nPresent\r\nElevate privileges by running as admin Used Not Present\r\nNot\r\nPresent\r\nCopy itself to a specified path Used Not Present\r\nNot\r\nPresent\r\nPersist using task creation (e.g., “Chrome Update”) Used Not Present\r\nNot\r\nPresent\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 9 of 18\n\nSelf delete using a .bat file Used Not Present\r\nNot\r\nPresent\r\nCheck for an Internet connection Used Not Present\r\nNot\r\nPresent\r\nProtect the process using RtlSetProcessIsCritical Used Not Present\r\nNot\r\nPresent\r\nPrevent sleep by setting SetThreadExecutionState to\r\n0x80000003 (ES_CONTINUOUS |\r\nES_DISPLAY_REQUIRED | ES_SYSTEM_REQUIRED)\r\nUsed Not Present\r\nNot\r\nPresent\r\nTable 1. Some notable similarities and differences in functionality between Prynt Stealer, WorldWind and\r\nDarkEye\r\nTable 2 compares the field names between StormKitty, Prynt Stealer, WorldWind and DarkEye.\r\nStormKitty Prynt WorldWind DarkEye\r\n😹 *StormKitty -\r\nReport:*\r\n\\ud83d\\udc63 *Prynt Stealer New Results:*\r\n\\ud83c\\udf2a\r\n*WorldWind\r\nPro - Results:*\r\n\\ud83d\\ude39\r\n*DARK-EYE -\r\nReport:*\r\n🏦 *Banking\r\nservices*\r\n\\ud83c\\udfe6 *Banks*\r\n\\ud83c\\udfe6\r\n*Bank Logs*\r\n\\ud83c\\udfe6\r\n*Banking\r\nservices*\r\n💰\r\n*Cryptocurrency\r\nservices*\r\n\\ud83d\\udcb0 *Crypto*\r\n\\ud83d\\udcb0\r\n*Crypto Logs*\r\n\\ud83d\\udcb0\r\n*Cryptocurrency\r\nservices*\r\n🍓 *Porn\r\nwebsites*\r\nN/A\r\n\\ud83c\\udf53\r\n*Freaky Logs*\r\n\\ud83c\\udf53\r\n*Porn websites*\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 10 of 18\n\n🌐 *Browsers:* \\ud83d\\udcb5 *Stealer Data:*\r\n\\ud83c\\udf10\r\n*Logs:*\r\n\\ud83c\\udf10\r\n*Browsers:*\r\n🗃 *Software:* \\ud83d\\udc63 *Installed Software:*\r\n\\ud83d\\uddc3\r\n*Software:*\r\n\\ud83d\\uddc3\r\n*Software:*\r\n🧭 *Device:* \\ud83d\\udc63 *Local Device:*\r\n\\ud83e\\udded\r\n*Device:*\r\n\\ud83e\\udded\r\n*Device:*\r\n📄 *File\r\nGrabber:*\r\n\\ud83d\\udc63 *Files:*\r\n\\ud83d\\udcc4\r\n*File Grabber:*\r\n\\ud83d\\udcc4 *File\r\nGrabber:*\r\nN/A\r\n\\ud83d\\udc63 Solen Useing Prynt\r\nStealer\\n\\n  \\ud83d\\udc63 Developed By\r\n@FlatLineStealerUpdated\\n\\n \r\n\\ud83d\\udc63 Or Join The Channel\r\n@pryntdotmarket\r\nTelegram\r\nChannel:\r\n@x0splinter\r\nN/A\r\nTable 2. Comparison of field names between StormKitty, Prynt Stealer, WorldWind and DarkEye\r\nLeaked Prynt Stealer Builder\r\nThreatlabz has acquired a copy of the Prynt Stealer builder that is backdoored with DarkEye being circulated in-the-wild. Figure 10 illustrates the “free” Prynt Stealer builder’s backdoor execution process.\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 11 of 18\n\nFigure 10: Prynt Stealer builder backdoor execution and infection flow\r\nThe Prynt Stealer builder package includes the following files:\r\nStub.exe - Prynt stub used by the builder\r\nPrynt Stealer.exe - Builder executable\r\nPrynt Stealer sub.exe - Unmanaged PE\r\nPrynt.exe - Backdoor that downloads and executes DarkEye Stealer\r\nStub.exe - The Prynt Stealer Stub\r\nThis is the actual Prynt Stealer stub that is used by the builder to build payloads based on the configuration. The\r\nstub simply enumerates the resources in the file Prynt Stealer sub.exe and performs actions based on the settings\r\nin the RCData resource section, as shown in Figure 11.\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 12 of 18\n\nFigure 11. Celesity Binder resource enumeration method\r\nThe Prynt Stealer sub.exe is generated using Celesty Binder as indicated by the presence of the string\r\nC:\\Users\\DarkCoderSc\\Desktop\\Celesty Binder\\Stub\\STATIC\\Stub.pdb. This binary stores embedded payloads\r\nunder the “RBIND” resource in plaintext. This sample was configured to drop and execute the payloads in the\r\n%TEMP% folder as shown in Figure 12.\r\nFigure 12. Celesity Binder stub settings in resources\r\nOther valid options for the “DROPIN” value include the following:\r\n%APPDATA%\r\n%PROGFILES%\r\n%DEFDRIVE%\r\n%STARTUPDIR%\r\n%LAPPDATA%\r\n%USERDIR%\r\nThe Prynt Stealer builder stub contains two payloads:\r\n“PRYNT STEALER.EXE” - The builder binary explained below\r\n“SVCHOST.EXE” - LodaRAT backdoor\r\nPrynt Stealer.exe - The Builder\r\nThe Prynt Stealer builder is a modified version of the AsyncRAT builder with modified forms to change the UI\r\nand an additional line was added in the main method to run the loader mentioned above from {Builder\r\nPath}/Stub/Prynt.exe.\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 13 of 18\n\nPrynt.exe - The Loader \r\nThis is a very basic loader written in .NET, which simply downloads the payload from a hardcoded URL and runs\r\nthe payload as shown in Figure 13.\r\nFigure 13. Loader obfuscated vs deobfuscated\r\nThe downloaded payload is DarkEye Stealer, a variant of Prynt Stealer. Based on a hardcoded Telegram token\r\nshared by DarkEye, Prynt and WorldWind stealer, they are all likely from the same author(s). \r\nDarkEye Stealer\r\nThis malware is essentially Prynt Stealer with some minor differences in code placement. Most settings related to\r\nthe clipper, keylogger, etc are moved under the AsyncRAT constructor as shown in Figure 14.\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 14 of 18\n\nFigure 14. Example AsyncRAT settings configured by DarkEye Stealer\r\nThe main factor differentiating DarkEye from Prynt and Worldwind is that the AsyncRAT part of the code is\r\nweaponized by configuring the related settings. Note that there were some earlier versions of DarkEye stealer in-the-wild without the AsyncRAT components. \r\nLoda RAT \r\nLoda RAT is an Autoit based RAT first documented in 2017 that has been active since and has evolved over the\r\nyears. This is a fairly capable malware that can steal a variety of information, remotely control an infected system\r\nand deploy additional payloads.\r\nConclusion\r\nThe free availability of source code for numerous malware families has made development easier than ever for\r\nless sophisticated threat actors. As a result, there have been many new malware families created over the years that\r\nare based on popular open source malware projects like NjRat, AsyncRAT and QuasarRAT. The Prynt Stealer\r\nauthor went a step further and added a backdoor to steal from their customers by hardcoding a Telegram token and\r\nchat ID into the malware. This tactic is not new by any means; there have been several similar instances, including\r\nCobianRAT. As the saying goes, there is no honor among thieves.\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 15 of 18\n\nCloud Sandbox Detection\r\nFigure 15: Zscaler Cloud Sandbox Report\r\nIn addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators related to the\r\ncampaign at various levels with the following threat names:\r\nWin32.Backdoor.PryntStealer\r\nWin32.Backdoor.WorldWind\r\nWin32.Backdoor.DarkEyeStealer\r\nWin32.Backdoor.LodaRat\r\nIndicators of Compromise (IOCs)\r\nPrynt Stealer IOCs are available in our GitHub repository.\r\nSHA256 Malware\r\nd8469e32afc3499a04f9bcb0ca34fde63140c3b872c41e898f4e31f2a7c1f61f Prynt Stealer\r\nf15e92c34dd8adfcd471d726e88292d6698217f05f1d2bcce8193eb2536f817c Prynt Stealer\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 16 of 18\n\n3b948a0eb0e9bbca72fc363b63ffd3a5983e23c47f14f8296e8559fd98c25094 WorldWind Stealer\r\nbb96db7406566ec0e9305acde9205763d4e9d7a65f257f3d5c47c15f393628ec DarkEye Stealer\r\ne48179c4629b5ab9e53ccb785ab3ee5eeb2e246e1897154a15fec8fd9237f44b\r\nDarkEye Stealer (old\r\nversion without AsyncRAT)\r\n9678ca06068b705da310aa2f76713d2d59905b12b67097364160857cd1f90c58 Celesty Binder payload\r\n654f080d5790054f0cd1a0f9b31cd7a82a4722ff3ce5093acdc31ff154f1ae24 Builder\r\ncb132691793e93ad8065f857b4b1baba92e937cfc3d3a8042ce9109e12d32b4c LodaRAT\r\nd37d0ae4c5ced373fe1960af5ea494a6131717d1c400da877d9daa13f55439bb Prynt Stealer Stub\r\nc79aed9551260daf74a2af2ec5b239332f3b89764ede670106389c3078e74d1a Loader\r\nTelegram Token Chat ID Comment\r\n1119746739:AAGMhvpUjXI4CzIfizRC--VXilxnkJlhaf8 1096425866 WorldWind (hardcoded)\r\n1784055443:AAG-bXLYtnFpjJ_L3ogxA3bq6Mx09cqh8ug 1937717367 Prynt Stealer (hardcoded)\r\n5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI 5038570348 Prynt Stealer\r\n5292408150:AAHAPbTr2Jc9L4hgsfkDkvfw_hISg6lPMMI 1856525476 Prynt Stealer\r\n1916193181:AAHhdcx3k6mHbnJ6JLfyWtJBMChny-la8Xs 849561191 Prynt Stealer\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 17 of 18\n\nURL Description\r\nhttps://cdn.discordapp[.]com/attachments/523238636561629190/890007970207907871/vltn.exe \r\nDarkEye\r\nStealer\r\nHosting\r\nbigdaddy-service[.]biz:6606\r\nDarkEye\r\nStealer\r\nC\u0026C \r\nbigdaddy-service[.]biz:7707\r\nDarkEye\r\nStealer\r\nC\u0026C \r\nbigdaddy-service[.]biz:8808\r\nDarkEye\r\nStealer\r\nC\u0026C \r\ndaddy.linkpc[.]net:1199\r\nLodaRAT\r\nC\u0026C\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nhttps://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/no-honor-among-thieves-prynt-stealers-backdoor-exposed"
	],
	"report_names": [
		"no-honor-among-thieves-prynt-stealers-backdoor-exposed"
	],
	"threat_actors": [],
	"ts_created_at": 1775434806,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb1fa9ffa4e5430eb2250bf2144a2013b5fb0128.pdf",
		"text": "https://archive.orkl.eu/eb1fa9ffa4e5430eb2250bf2144a2013b5fb0128.txt",
		"img": "https://archive.orkl.eu/eb1fa9ffa4e5430eb2250bf2144a2013b5fb0128.jpg"
	}
}