Emerging Prysmax Stealer v1.0.2 Targets Cryptocurrency

A newly advertised iteration of the Prysmax information-stealing malware, version 1.0.2, has surfaced on dark web forums, touting enhanced evasion capabilities and integration with underground log marketplaces.

According to a June 2024 post on the Russian-language forum Exploit.in, the Rust-based stealer claims to bypass 95% of antivirus detections while pilfering passwords, cryptocurrency wallets, and browser cookies.

This development marks a significant shift from earlier Python-based variants analyzed by cybersecurity firms in 2023, signaling threat actors’ investment in cross-platform adaptability and anti-analysis techniques.

Evolution of Prysmax Stealer’s Technical Capabilities

According to the post from DailyDarkWeb, the v1.0.2 release represents a strategic pivot toward Rust, a language increasingly favored by malware developers for its memory safety and cross-platform compatibility.

While CYFIRMA’s 2023 analysis identified Python-based Prysmax variants using PyInstaller bundling and PowerShell for persistence, the Rust rewrite likely improves execution speed and complicates reverse engineering.

The stealer’s advertised “fully undetectable” web panel aligns with historical behavior—earlier versions manipulated Windows Defender settings via registry keys (HKLM\SOFTWARE\Policies\Microsoft\Windows Defender) to disable real-time protection and exclude .exe files from scans.

Notably, the malware’s integration with Telegram bots for C2 communication and data exfiltration mirrors tactics observed in Fickle Stealer (2025) and Mystic Stealer (2024), suggesting a convergent evolution in cybercrime tooling.

The new version reportedly automates credential harvesting from 40+ Chromium-based browsers and 70+ cryptocurrency extensions, expanding beyond its predecessors’ focus on Ethereum and Bitcoin wallets.

Underground Market Integration and Monetization

Prysmax’s operators have adopted a Malware-as-a-Service (MaaS) model, offering subscriptions to botnet, RAT, and stealer functionalities since 2022.

The v1.0.2 release emphasizes integration with log marketplaces like 2easy and Russian Market, where stolen credentials are parsed, categorized, and sold for $2–$500 per log.

This mirrors trends observed in 2023–2024, where infostealer log inventories grew 670% on the Russian Market alone, driven by Raccoon, RedLine, and Vidar stealers.

The stealer’s Spain-linked developers—identified through GitHub and YouTube OpSec failures in 2023—now appear to leverage Rust’s efficiency to scale payload distribution.

Distribution vectors remain consistent: malicious email attachments, compromised software cracks, and fraudulent ads mimicking cloud services like LogicMonitor and AnyDesk.

Defensive Recommendations for Organizations

To counter Prysmax’s updated TTPs, enterprises should prioritize behavioral analytics over signature-based detection.

CYFIRMA’s 2023 MITRE ATT&CK mappings highlight critical detection points, including anomalous PowerShell execution (CommandLine: -SubmitSamplesConsent 2) and registry modifications disabling firewall profiles.

Network defenders can deploy Sigma rules targeting process creation events tied to UUID enumeration (csproduct get UUID) and Windows Defender preference overrides.

Proactive measures include isolating cryptocurrency transaction workflows via hardware wallets and enforcing MFA for password managers like LastPass and Dashlane—both frequent Prysmax targets.

Threat-hunting teams should monitor dark web forums like CryptBB and Exploit.in for stealer-specific IOCs, particularly SHA256 hashes linked to Prysmax’s evolving infrastructure (e.g., lunarymc[.]xyz C2 domains).

As Prysmax v1.0.2 infiltrates networks, its Rust-based architecture and marketplace partnerships underscore cybercrime’s industrial shift—a reminder that today’s stealthy infostealers fuel tomorrow’s ransomware campaigns.

Also Read:

Cybersecurity Breach Exposes $500M U.S. Beauty Retailer on Dark Web

See more