Prinz Eugen hands-on-keyboard ransomware activity
Malware Activity
Summary
Hide ▲
Show ▼
The Prinz Eugen ransomware operation is actively using hands-on-keyboard tradecraft and legitimate RMM tools, which makes intrusions harder to spot and contain. Researchers say the operators likely start with stolen RDP credentials, then manually deploy servertool.exe and maintain access with RemotePC. The encryptor focuses on recently modified files, skips a ransom note, and pushes victims toward out-of-band extortion. The activity has already been tied to multiple victims, including a Standard Bank breach demand of 1 BTC.
Related Happenings
Prinz Eugen hackers campaign expands across multiple victims
Campaign
H score4
First: 20.06.2026 18:23
Last: 20.06.2026 18:23
Sources 1
How related:
An investigation from Threatdown, Malwarebytes’ enterprise cybersecurity arm, found that the Prinz Eugen hackers have a hands-on-keyboard style and prefer to use legitimate remote monitoring and management (RMM) software and living-off-the-land tools.
About this happening:
The **Prinz Eugen** ransomware campaign is using **stolen RDP credentials**, **RemotePC**, and hands-on operator control to break into multiple victims. It matters because the ope...
Prinz Eugen hackers campaign expands across multiple victims
CampaignHow related: An investigation from Threatdown, Malwarebytes’ enterprise cybersecurity arm, found that the Prinz Eugen hackers have a hands-on-keyboard style and prefer to use legitimate remote monitoring and management (RMM) software and living-off-the-land tools.
About this happening: The **Prinz Eugen** ransomware campaign is using **stolen RDP credentials**, **RemotePC**, and hands-on operator control to break into multiple victims. It matters because the ope...
Timeline
-
20.06.2026 18:23 2 articles · 2h ago
Prinz Eugen ransomware uses stolen RDP access and RemotePC
Initial DisclosureThreatdown and Malwarebytes describe Prinz Eugen as a new ransomware operation that likely gains access with stolen RDP credentials, manually executes `servertool.exe`, and uses legitimate RMM tooling such as RemotePC plus a backdoor administrator account for persistence. The group is characterized as hands-on-keyboard rather than RaaS, and its operators are reported to move extortion communications out of band while avoiding a local ransom note.
Show sources
- New Prinz Eugen ransomware prioritizes recent files for encryption — www.bleepingcomputer.com — 20.06.2026 18:23
- New Prinz Eugen ransomware prioritizes recent files for encryption — www.bleepingcomputer.com — 20.06.2026 18:23