Prinz Eugen ransomware: a deep dive into a new Go-based encryptor
Essential information
- Published
- 25/06/2026 16:55
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- go-based prinz eugen remotepc rmm rootboy
- Related entities
- 16 indicators, 14 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware
Description
Prinz Eugen is a newly discovered Go-based ransomware family first observed in April 2026, attributed to an actor known as ROOTBOY. The encryptor employs sophisticated techniques including ChaCha20-Poly1305 encryption, prioritizes recently modified files to maximize pressure on victims, and implements anti-forensic measures such as memory scrubbing and self-deletion. Unlike typical ransomware, it leaves no ransom note on disk, conducting all extortion communications out-of-band through leak sites and direct contact. The threat actor gains initial access through compromised RDP credentials, uses legitimate RMM tools like RemotePC for persistence, and creates backdoor admin accounts. Victims span multiple countries and sectors, with notable incidents including Standard Bank Group in South Africa and Transitions Pro Centre Val de Loire in France.