Prinz Eugen hackers campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
The Prinz Eugen ransomware campaign is using stolen RDP credentials, RemotePC, and hands-on operator control to break into multiple victims. It matters because the operation combines manual intrusion tradecraft with data encryption and exfiltration, increasing extortion pressure and reducing detection. Researchers say the group has reached at least five victims, while the leak site currently lists three. In one Standard Bank breach, the attacker demanded 1 BTC and was refused.
Related Happenings
Prinz Eugen hands-on-keyboard ransomware activity
Malware Activity
H score4
First: 20.06.2026 18:23
Last: 20.06.2026 18:23
Sources 1
How related:
An investigation from Threatdown, Malwarebytes’ enterprise cybersecurity arm, found that the Prinz Eugen hackers have a hands-on-keyboard style and prefer to use legitimate remote monitoring and management (RMM) software and living-off-the-land tools.
About this happening:
The **Prinz Eugen** ransomware operation is actively using **hands-on-keyboard** tradecraft and legitimate **RMM tools**, which makes intrusions harder to spot and contain. Resear...
Prinz Eugen hands-on-keyboard ransomware activity
Malware ActivityHow related: An investigation from Threatdown, Malwarebytes’ enterprise cybersecurity arm, found that the Prinz Eugen hackers have a hands-on-keyboard style and prefer to use legitimate remote monitoring and management (RMM) software and living-off-the-land tools.
About this happening: The **Prinz Eugen** ransomware operation is actively using **hands-on-keyboard** tradecraft and legitimate **RMM tools**, which makes intrusions harder to spot and contain. Resear...
Timeline
-
20.06.2026 18:23 2 articles · 2h ago
Prinz Eugen ransomware uses stolen RDP access and RemotePC
Initial DisclosurePrinz Eugen is a ransomware operation that appears to rely on stolen RDP credentials for initial access, manual execution of servertool.exe, and legitimate RMM tooling such as RemotePC with a backdoor administrator account for persistence. Researchers describe the group as hands-on-keyboard, note that it is not operating as RaaS, and say the malware encrypts recently modified files first, processes files alphabetically when timestamps match, omits a local ransom note, and uses out-of-band extortion; the leak site currently lists three victims, researchers have identified at least five impacted organizations, and in the Standard Bank breach the attacker demanded 1 BTC and was refused.
Show sources
- New Prinz Eugen ransomware prioritizes recent files for encryption — www.bleepingcomputer.com — 20.06.2026 18:23
- New Prinz Eugen ransomware prioritizes recent files for encryption — www.bleepingcomputer.com — 20.06.2026 18:23