Interview with Pryx Part 2: Diving Deeper into Server-Side Stealers & Other Interesting Chit-chats

In our previous interview with Pryx, the threat actor briefly touched upon the concept of server-side stealers claiming it to be completely different from how traditional info-stealers work. We were interested in learning more about this new innovative approach so we decided to dive deeper in a follow-up chat-based interview. This time, Pryx not only explained the stealer’s mechanics but also shared a video demonstration of how it works. Along the way, we explored the actor’s methodologies for targeting companies and cleared up misconceptions about the so-called “Pryx ransomware group,” which, as it turns out, was never a group to begin with.

---

---

Key Findings

Techniques and Entry Methods

• Breaking In: Pryx gains access through brute-forcing VPN credentials, exploiting vulnerabilities, or spear-phishing campaigns.
• Gaining Control: After entry, they escalate privileges by exploiting outdated systems or misconfigurations, often creating backdoors for persistence.
• Selling Access: Instead of always deploying ransomware themselves, Pryx sells privileged access to other ransomware operators, prioritizing profitability.

Notable Incidents

• U.S. Company ($800M revenue): Breached via brute-forced VPN credentials, escalated to root through outdated hosts, and deployed ransomware.
• UAE Travel Conglomerate ($3B revenue): Exploited an exposed, outdated Palo Alto management panel for instant root access and locked the server with ransomware.

Misconception About Pryx Ransomware Group:

• Pryx clarified they are not part of any group; the so-called “Pryx ransomware group” does not exist. Pryx operates independently, using an onion blog for posting leaks and personal thoughts.

Attack Workflow:

• Initial Access: Brute-forcing VPN credentials, exploiting vulnerabilities, or spear-phishing campaigns.
• Escalation: Exploiting outdated hosts or writable cron jobs to gain root access.
• Data Exfiltration: Using backdoors, SFTP, or custom protocols for data transfer.
• Command-and-Control (C2): A simple setup using Pryx’s server and a lightweight listener.

Selling Access:

• Pryx often sells access to ransomware operators instead of deploying ransomware directly, focusing on maximizing profits.

---

The Interview

Below we have presented the questions and answers with no modification.

---

Question: Can you please give us a glimpse of the new server-side stealer and is it already in production?

Answer: I will post a video because I only tested it on an Indian corp that I use for testing lol. In this demonstration, it can steal browser cookies and passwords for now, since it’s a simple poc, but it’s able to steal almost everything normal stealers can steal.

(Our explanation: When a victim is infected, the stealer creates a Tor-based service and sets up a directory listing on the victim’s system, sending the onion link to the attacker. From there, the stealer gathers all necessary data, allowing the attacker to exfiltrate it via GET requests.

Unlike traditional stealers, this malware doesn’t perform full data theft locally. Instead, it simply establishes the onion service and sends a JSON request to the attacker with the username and onion address. No direct “stealing” occurs on the victim’s system, making it much harder to detect. The attacker manages everything remotely, with the real data extraction taking place on their server after obtaining the onion address.)

Question: How you used server side sealer in your attacks? What’s the advantage of this stealer?

Answer: I didn’t I just tested it on a company and it worked normally. it’s biggest advantage that it’s a stealer but the malware doesn’t have a stealer code. So far, I haven’t used a server-side stealer in any of my attacks, but the advantages are pretty clear. It’s a completely different approach from the usual stealers. Instead of loading all the code onto the victim’s device making it easier to detect, it uses a Tor-hosted directory listing and GET requests to grab the data remotely.

With this method, the actual stealing and decryption happen on my server, not on the victim’s device. This keeps the malware lightweight and harder to detect. It’s also easier to maintain since I can tweak the scripts handling the data without needing to change the malware. Plus, it can manage multiple victims by just tracking new onion addresses in the database.

The concept doesn’t have to rely only on Tor. If you’re worried about Tor raising flags or not working in certain places, like North Korea, there are plenty of other options. For example, you could have victims connect to an attacker-controlled VPN using a preconfigured profile. Once they’re on the attacker’s network, you could scan for connected devices and scrape their data, just like in the Tor-based setup. Instead of onion addresses, you’d use the victims’ VPN-assigned IPv4s.

Imagine getting hacked just because you connected to a VPN and set up localhost, that’s next-level trolling lol.

Question: Are you planning to deploy server side stealers in your future attacks?

Answer: yeah, but right now I’m too lazy, if i wanted to deploy, Imma just deploy the vpn preconfig malware idea.

Question: What is this VPN pre-config malware? Can you please elaborate on it more?

For example, you could have victims connect to an attacker-controlled VPN using a preconfigured profile. Once they’re on the attacker’s network, you could scan for connected devices and scrape their data, just like in the Tor-based setup. Instead of onion addresses, you’d use the victims’ VPN-assigned IPv4s.

---

We observed that some companies (Vectra.ai and Red Hot Cyber) have named Pryx as a Pryx ransomware group. So, our next question was just about that.

Question: What is “Pryx ransomware group”? When did it emerge and what was the motivation?

Answer: Pryx isn’t a group, it’s just me. I don’t have some crew or operation running under the name. I’ve got my own onion blog where I post leaked data and personal thoughts. It’s not strictly a ransomware leak site or anything like that. my onion site is just a platform for whatever I decide to put out there.

---

Question: How do you usually obtain initial access? Please explain it from obtaining the initial access to data exfiltration.

Answer: I get in through phishing or exploiting a vuln, move around, drop a backdoor, and grab what I need using SFTP or whatever protocol the host allows, or just exfiltrate to waifu.cat or something similar. For C2, I stick to my own server and a simple listener. Nothing fancy; I’m here for the access, not the extra features I don’t use or need.

---

Question: Describe an incident, which you managed to get a ransom. Please explain it from A to Z.

Answer: I bruteforced some VPN credentials and got decent access. From there, I scanned the network and found a few outdated hosts. I backdoored them, and one of those systems had admin control over others, so I pushed malware to all devices, both Windows and MacOS.
Once that was done, I encrypted the Windows machines, but since I didn’t have a locker for MacOS, they survived. Regardless, I exfiltrated some pretty juicy data. The company ended up paying the ransom.
Since I’m selling access to other ransomware groups, mentioning the accesses before they post it to their leak sites will for sure make me lose a lot of money.

Question: Can you shed some light on your recent attacks and discuss your methodologies?

Answer: Most of my access comes from brute-forcing VPN credentials, mass exploiting CVEs, or running large spear phishing campaigns. Once I get in, I try to escalate to root.

Once I have root, I’ll create a new user with the highest privileges and sell SSH access to it, to ransomware operators. If it’s a Windows machine, the process is the same, but I’ll set up RDP instead.

I ransomed a company based in the U.S. not too long ago, with about $800 million in revenue. The initial access came from valid brute-forced VPN credentials, which gave me a foothold in their network. Once inside, I scanned for outdated hosts and found a writable cron job that let me escalate to root. With root access secured, I created a new user account with the highest privileges and deployed ransomware directly to their server.

Another example is a company based in the UAE, a global travel and tourism conglomerate with over $3 billion in revenue. Their Palo Alto management panel was exposed and running an outdated version. Exploiting that gave me instant root access. From there, the only step left was to deploy ransomware and lock the server.

These are just some of the corps I can remember off the top of my head. I sell access in bulk, so I don’t really keep track of everything.

---

Thanks again, Pryx, for your valuable time.