New MaaS Prysmax Launches Fully Undetectable Infostealer

CYFIRMA documents a new malware-as-a-service, Prysmax, offering a fully undetectable information stealer, stealer, RAT, and botnet services. The Python-based Prysmax stealer exfiltrates crypto wallets, passwords, and cookies, uses PowerShell for stealthy actions, and relies on a Discord-based C2 while the developer reportedly hails from Spain.
#Prysmax #PrysmaxStealer #CYFIRMA #lunarymc.xyz #16f902f7537f03d04d3ce308825a725734c028a57958a82f3ae6c8a837b7fd45 #051508e80d56c787f50fa36e95b013484cb57db7cffa86fdf314749dcf69c02d #17048488f601aa25d2d24b60960abcea22f7ad108b06da2657f4c8539af53d0b #0918ec2719149bd59d058b70bf683775a4d39fa8d24614236062034558d1e0be #8d09ef6bb0a751d4efd06a59d55506cfecccbae5847c503066373d68f431b821 #Spain

Keypoints

CYFIRMA identifies a new MaaS infostealer named Prysmax, marketed as fully undetectable and offering stealer, RAT, and botnet services.
The stealer targets broad data theft (crypto wallets, passwords, cookies) and uses PyInstaller to bundle the malware into a single executable.
Anti-detection and defense-evasion techniques include manipulating file associations, disabling Defender and firewall, and reducing security postures via PowerShell commands.
Persistence is achieved through startup registry keys and multiple locations, with data exfiltration extending to removable storage devices.
PowerShell is heavily leveraged for actions, and WMI is used to gather system information (UUID).
Command-and-control reportedly uses a Discord bot, with efforts to establish a more robust C2 (bulletproof VPS) and a suspected Spanish origin.

MITRE Techniques

[T1562.001] Disable or Modify Security Tools – The malware disables Windows Defender and the built-in firewall to ensure uninterrupted operation. “To ensure uninterrupted operation, the infostealer takes steps to disable Windows Defender and the built-in firewall.”
[T1547.001] Boot or Logon Autostart Execution – Persistence via Startup: The malware attempts to establish persistence by adding an entry to the user’s startup using the following registry key: HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunNombreDescriptivo. “The malware attempts to establish persistence by adding an entry to the user’s startup…”
[T1112] Modify Registry – Manipulating File Associations: The malware manipulates Windows file associations for the .exe extension via a registry key. “Manipulating the Windows file associations, specifically targeting the “.exe” file extension. It interacts with the following registry key…”
[T1047] Windows Management Instrumentation – System UUID discovery: The malware uses WMI to retrieve the system’s UUID. “wmic csproduct get uuid”
[T1071.001] Application Layer Protocol: Web Protocols – Command-and-Control via Discord: The attacker uses a Discord bot as the C2 for Prysmax Stealer. “The TA currently uses a discord bot as the C2 for Prysmax Stealer.”
[T1059.001] PowerShell – Extensive PowerShell usage for data exfiltration and covert actions. “The malware makes extensive use of PowerShell, a scripting language native to Windows, to carry out its malicious actions.”
[T1052] Exfiltration to Physical Media – Removable storage exfiltration: The malware exfiltrates files when a removable storage device is connected. “when a victim inserts any removable storage device onto the infected machine, all the files on the removable storage get exfiltrated anonymously.”

Indicators of Compromise

[SHA256] Prysmax Stealer file hashes – 16f902f7537f03d04d3ce308825a725734c028a57958a82f3ae6c8a837b7fd45, 051508e80d56c787f50fa36e95b013484cb57db7cffa86fdf314749dcf69c02d, and 3 more hashes
[Domain] Command and Control Domain – lunarymc.xyz, Jghghghgjjg.lunarymc.xyz

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print

New MaaS Prysmax Launches Fully Undetectable Infostealer – CYFIRMA