Prinz Eugen ransomware: a deep dive into a new Go-based encryptor

On May 11, 2026, our research team investigated a customer infected with a brand-new ransomware family called Prinz Eugen.

The encryptor is freshly built, written in Go, and more technically deliberate than many first-wave ransomware samples. It performs recursive encryption, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity checks, and leaves no ransom note on disk.

The first public report related to this family is dated April 16, when a public social media post noted that a new ransomware leak portal had appeared to extort Standard Bank Group, a leading financial institution in South Africa.

We attributed the activity to the Prinz Eugen group because the encryptor appends the .prinzeugen extension to encrypted files.

The term “Prinz Eugen” could refer to a German heavy cruiser that served during World War II. It is the first of several German references woven through this campaign.

Inside the encryptor

The following analysis traces the encryptor through the intrusion we investigated, in the order the activity unfolded: initial access, execution, the encryption process, and the anti-forensic steps the binary took before it exited.

We suspect the actor gained a foothold through compromised RDP credentials. Once inside, they downloaded the encryptor executable (servertool.exe) using Chrome and moved it into the user’s Music folder. The binary takes the directory to encrypt as a command-line parameter, with an optional --delete flag to remove the original file after encryption:

C:\Users\******\Desktop>servertool.exe
usage: encrypter [--delete] <dir> [dir ...]

In the environment we studied, it was launched against a specific set of folders, recorded in our EDR logs:

servertool --delete C:\Users\<redacted>\Downloads
servertool --delete C:\Users\<redacted>\OneDrive
servertool --delete C:\Users\<redacted>
servertool --delete C:\Users
servertool --delete C:\
servertool --delete G:\My Drive
servertool --delete G:\Shared Drive

We analyzed the sample to clarify how it encrypts. It is written in Go, and all the key functions related to encryption sit inside a package named scorched-earth-ausfc.

For each directory passed on the command line, the encryptor performs a fully recursive walk with no depth limit. The code allows exclusions to be configured, but the sample we analyzed did not define any, so it is set to encrypt every file that does not already carry the .prinzeugen extension and is not a .<originalname>.tmp working file.

The encryptor takes the most recently modified files first, falling back to alphabetical order only to break ties on identical timestamps.

That ordering is what makes it dangerous. The most recently modified files are the ones most likely to be in active use (open documents, current databases, recently saved project files, fresh email archives) and the least likely to have a recent backup. Hitting them first puts the heaviest pressure on the victim to pay quickly.

Encryption logic

Encryption is done through multiple worker goroutines, one per CPU:

Each worker then calls the per-file encryption routine:

For a file named document.docx, the encryptor works in three stages. It first creates and encrypts a temporary copy, .document.docx.prinzeugen.tmp, using the EncryptFileToKey function:

It then renames that temporary file to its final form, document.docx.prinzeugen:

Where the --delete flag is set, it verifies the encrypted file is decryptable with VerifyEncryptedWithKey and only then removes the original:

No ransom-note functionality exists in the sample. There is no code to drop a text file, HTML page, or any other written demand onto a victim’s file system.

The encryptor uses ChaCha20-Poly1305 (AEAD) with a 32-byte master key, per-file random IVs, a three-stage KDF (Argon2id to SHA-256 to HKDF-SHA256), chunked encryption at 1MB per chunk, SHA-256 integrity hashing, and a custom file header. The header carries the CHV1 magic bytes, visible in an encrypted sample:

Before exiting, the binary takes deliberate steps to frustrate forensic analysis and recovery. It zeroes the hardcoded encryption key and runs the garbage collector so the key does not persist in memory, then deletes itself.

Together these reduce the forensic footprint: memory analysis will not recover the key, and the binary leaves no trace on disk after running. The self-delete uses cmd.exe with a ping-delay trick, which gives the parent process time to exit fully before deletion runs:

cmd.exe /C ping 127.0.0.1 -n 2 > nul & del /F /Q C:\Users\<redacted>\Music\servertool.exe

Additional steps by the threat actor

In the environment hit by this ransomware, we also observed the actor leveraging the RemotePC RMM tool to launch PowerShell stagers and deploy additional payloads.

These payloads were downloaded from 212.80.7.74, which, at the time of writing, was online and hosting an admin console. We suspect this IP is acting as a C2, and the additional payloads are probably remote access trojans (RATs) used for infostealing and exfiltration.

We observed the actor setting up an admin account as well:

net user admin germania /add

It’s worth noting the password, germania, which means “Germany” in Latin and Italian. Germania is also an extortion alias that the same operator used on a crime forum months before Prinz Eugen existed, connecting this binary directly to a named, pre-existing data seller.

So, RDP was probably the entry point, while RMM and a custom admin account became persistence mechanisms.

Infrastructure

The C2 address sits inside a small infrastructure cluster. DNS history reconnaissance and URL-scan history show that three domains have resolved to 212.80.7.74:

Domain	Observed role	Notes
stndrdbnk.cc	Standard Bank typosquat	Captured serving /unlocked on March 29, consistent with a victim payment or negotiation portal. Registered on March 14 2026 through Porkbun, later flagged as malicious by several reputation engines, and its DNS record has since been removed.
g- captchafestung.sbs	Fake-CAPTCHA lead	Registered on May 27 through NiceNIC. The naming suggests a possible ClickFix-style paste-and-run lure, though retrieval returned only {“ok”:true}, so ClickFix remains unconfirmed.
festung- e.duckdns.org	Dynamic-DNS host	Observed between May 23 and 30.

Two of those domains contain “Festung,” the German word for fortress, which matches the German theme already visible in the binary (the cruiser name, the germania password, and the scorched-earth-ausfc package).

By May 30, the host had been cleaned up. Port 443 still responded, but only with a 28-byte placeholder page last modified May 23; the admin panel shown above was gone, the CAPTCHA domain returned only {“ok”:true}, and the typosquat’s DNS record had been pulled.

The same pattern appears across the actor’s estate: the C2 was stripped, the typosquat DNS was removed, and their older forum profile was deleted.

They appear to dismantle their own infrastructure after each operation. (DNS history records also show unrelated co-residents on the IP, darkempire.fun in 2024-2025 and old-pidop.ru in 2024, most likely prior tenancy with no observed actor link.)

Unmasking the operator

The strongest public attribution trail for Prinz Eugen points to an actor called ROOTBOY. Attributing the leak-site post to a named handle relies on two consistent routes:

1. South African press reporting on the Standard Bank breach names the actor as ROOTBOY, who posted the data on DarkForums.
2. Public leak-site tracking lists a single affiliate for the Prinz Eugen site: ROOTBOY.

The ROOTBOY handle also has useful historical context. The actor has posted as ROOTBOY on Exploit and DarkForums, and earlier as avtokz on XSS, linking the two accounts by a shared TOX ID while also advertising Telegram and Jabber contacts. Prior reporting connects the same actor cluster to data-sale and extortion activity that predates Prinz Eugen:

• A Vantage Finance database, advertised as avtokz on July 9, 2025.
• A US and Canada driving-school software provider in September 2025 (SQL INSERT dumps containing billing records and student PII).
• The 700Credit breach in November 2025, roughly 8.4 million US records including Social Security numbers, dates of birth and employment data, advertised on Exploit and DarkForums.

That history also reaches directly into our sample. Our analysis recorded the user setting up an account called “germania,” while in the 700Credit listing, ROOTBOY stated that the data was sold after a failed extortion attempt issued under the name GERMANIA.

A string recovered from the binary therefore matches an extortion alias that the same actor used on a forum months earlier, connecting our reverse engineering to a named, pre-existing seller. It is the single strongest link in the attribution.

On current evidence this is most likely a single person, reusing the same handle, TOX ID and German naming theme across operations, which is the very consistency that makes attribution possible.

There are two caveats worth stating here: public leak-site tracking labels ROOTBOY an “affiliate,” which can imply a multi-actor structure, and a bespoke Go encryptor implies that at least a separate developer may be involved.

The core technical finding remains the same: Prinz Eugen is a new Go-based encryptor with deliberate file-targeting and anti-forensic behavior. The attribution context adds a second layer. It makes the absence of a ransom note, the out-of-band communication model, and the emphasis on exfiltration look intentional.

Impact

The victim set is opportunistic and spread across countries and sectors, with no clear single-sector focus:

Victim	Country	Detail
Standard Bank Group (+ Liberty)	South Africa	~1.2 TB / ~154M SQL rows exfiltrated; ~3-week dwell time; 1 BTC demand refused; staged daily leaks.
Transitions Pro Centre Val de Loire	France	Hundreds of GB exfiltrated and encrypted; posted on the leak site (May 3 2026).
700Credit	USA	~8.4M records incl. SSNs; sold for ~$2,500 (pre-Prinz Eugen data sale).
Vantage Finance	Unspecified	Database sold as avtokz (pre-Prinz Eugen).
US/Canada driving-school software provider	USA / Canada	Billing records and student PII sold (pre-Prinz Eugen).

The extortion model

The available reporting and incident data point to a simple pressure model: steal the data, encrypt the environment, then use the leak site and direct contact channels to force a decision.

Reporting on the Standard Bank intrusion adds further tradecraft: a hands-on dwell time of around three weeks before exfiltration, and lateral movement through enterprise applications including SharePoint, OneDrive, Power Apps, AppDynamics, Jira, Confluence, Citrix, Remedy, and Microsoft and Oracle SQL databases.

As in the incident we investigated, RemotePC was abused to launch PowerShell stagers and a manual backdoor admin account (germania) was created. The operator favors legitimate RMM tooling to blend into enterprise traffic, a Living off The Land (LOTL), hands-on-keyboard style.

Activity timeline

The sequence below separates the actor-history pivots from the confirmed Prinz Eugen ransomware activity, so readers can see what happened before and during the campaign.

Date	Event
9 Jul 2025	Registers on XSS as avtokz; advertises a Vantage Finance database.
6 Sep 2025	Joins Exploit as ROOTBOY.
9 Sep 2025	Sells data from a US/Canada driving-school software provider.
8 Oct 2025	Joins DarkForums.
16 Nov 2025	Advertises the 700Credit breach (~8.4M records) for ~$2,500; states the data was sold after a failed extortion attempt under the name GERMANIA.
27 Feb 2026	Start of the Standard Bank + Liberty intrusion (~3-week dwell time).
16 Apr 2026	Standard Bank breach posted on DarkForums; first public social-media report.
From mid-Apr 2026	Staged daily leaks of Standard Bank data escalate (5k to 25k to 50k to 100k rows/day) after the bank refuses to pay.
3 May 2026	Second Prinz Eugen victim: Transitions Pro Centre Val de Loire (France).
4 May 2026	Formally claims the Standard Bank attack.
11 May 2026	ThreatDown investigates an infected customer; encryptor analyzed.
Late May 2026	C2 panel stripped, typosquat DNS pulled and forum profile removed (infrastructure cleanup after the IP became public).

How we stop Prinz Eugen

ThreatDown Endpoint Protection product blocked the ransomware execution. Detections appear as Malware.Ransom.Agent.Generic:

ThreatDown Endpoint Detection & Response surfaced, through its alerts, the suspicious user being added for persistence:

It also surfaced the malicious usage of RemotePC, which used PowerShell to download and execute an additional payload:

Key takeaways

Prinz Eugen is an interesting addition to the current threat ecosystem because of its technical construction and the deliberate behavioral choices visible in the incident. The encryptor is new, written in Go, and built with enough care to prioritize high-pressure files, verify encrypted output, remove originals when instructed, and reduce forensic recovery opportunities before exiting.

The absence of a ransom note dropped on disk is a tactic we see more often among organized ransomware groups. By moving ransom communications entirely out-of-band (through direct email, phone contact, or dark-web victim portals), the actor reduces forensic artifacts and complicates automated detection of the extortion phase.

The use of legitimate RMM tooling (RemotePC) for post-exploitation persistence and lateral movement is consistent with a broader industry trend of ransomware operators abusing trusted software to blend into normal enterprise traffic and evade detection. Combined with the manual creation of a backdoor admin account, this indicates a hands-on-keyboard operator comfortable with LOTL techniques.

ThreatDown customers are protected through behavioral detections in both ThreatDown Endpoint Protection and ThreatDown EDR products, which surfaced the key attacker behaviors described in this report. Customers protected by ThreatDown would also have benefited from our anti-ransomware and Ransomware Rollback capabilities, allowing affected files to be restored automatically.

Indicators of Compromise

The following Indicators of Compromise (IoCs) consolidate the network, leak-site, actor, and host artifacts discussed above.

Network

The core network indicator is the host used for payload delivery, the observed panel, and the related domain infrastructure.

Indicator	Type	Notes
212[.]80[.]7[.]74	C2 / panel / payload host	AS215439, Play2go International, Frankfurt, DE.
stndrdbnk[.]cc	Domain resolving to 212[.]80[.]7[.]74	Standard Bank typosquat.
g-captchafestung[.]sbs	Domain resolving to 212[.]80[.]7[.]74	Fake-CAPTCHA / possible ClickFix lead.
festung-e.duckdns[.]org	Domain resolving to 212[.]80[.]7[.]74	Dynamic-DNS host observed between May 23 and 30.

Leak sites

The leak site indicators are included for reference and should be handled according to normal dark-web access controls.

Address	Status
prinzfkbjiazbrur4mjje6mntjc4vydx3iatkkzycufoylqcoo4y7pqd[.]onion	Active.
6cudc5cqa2bjpwdhcwm2lj6dbqejjjqzeo6ipwvmbazr6cgu7vfk3dad[.]onion	Original, currently down.

Actor selectors

These selectors support attribution and pivoting. Host-based detection relies more directly on the file and endpoint artifacts below.

Selector type	Value
Handles	ROOTBOY, avtokz, GERMANIA.
TOX	496187425B2944D73FBB17CAF3F9FD569B9ED3A08A497A8314CB4F27A51 E65081ACEE1E22F21
Emails	prinzeugen@mail2tor.co, standardbankcc@cock.li
BTC	bc1q2ztpcvqdaptej6uu2ywt9mrlatx6envu34rf0v

Host / file artifacts

The host and file artifacts are the most directly useful indicators for endpoint hunting and incident-response review.

Artifact type	Value
Payload	servertool.exe
Encrypted extension	.prinzeugen
Go package	scorched-earth-ausfc
File-header magic	CHV1
Crypto	ChaCha20-Poly1305, 32-byte master key, KDF Argon2id to SHA256 to HKDF- SHA256, 1MB chunks, per-file random IVs.
Persistence	net user admin germania /add
Self-delete	cmd.exe /C ping 127.0.0.1 -n 2 > nul & del /F /Q …\Music\servertool.exe
RMM abuse	RemotePC (IDrive) used for PowerShell staging.
SHA-256	686213cc11d36af764de824801bced9366dfca3823fe0d51b752f74149bcf1f4
PowerShell stager URLs	https://212[.]80[.]7[.]74/serverscan.ps1 https://212[.]80[.]7[.]74/stager/mini https://212[.]80[.]7[.]74/stager/ps1