rootboy

ROOTBOY is a criminal threat actor publicly linked in the provided reporting to the Prinz Eugen ransomware activity and to underground sales of stolen data. Known aliases directly mentioned in the content are ROOTBOY, avtokz, and the extortion name GERMANIA. The strongest attribution trail in the content connects Prinz Eugen to ROOTBOY. Researchers linked the actor based on leak-site reporting, historical forum activity, a shared German-themed naming pattern, and reuse of the alias GERMANIA. In the observed intrusion, the suspected initial access vector was compromised RDP credentials. The actor then used RemotePC to launch PowerShell stagers and deploy additional payloads downloaded from 212.80.7.74, which researchers suspected functioned as C2 and hosted an admin console. The actor also created a local admin account with the command "net user admin germania /add." Reported victims tied to this activity included Standard Bank Group in South Africa and Transitions Pro Centre Val de Loire in France; the broader reporting also listed 700Credit in the United States, Vantage Finance, and a US/Canada driving-school software provider. The Prinz Eugen ransomware described in the content is a newly built Go-based encryptor that appends the .prinzeugen extension, recursively encrypts files, prioritizes recently modified files, uses ChaCha20-Poly1305 with integrity verification, can delete originals after successful encryption, and performs anti-forensic actions including zeroing key material and self-deleting. The campaign is described as combining data theft, encryption, leak-site pressure, and out-of-band extortion, rather than relying on an on-disk ransom note. Separately, ROOTBOY was observed monetizing stolen data on underground forums. On November 16, 2025, a user operating as ROOTBOY advertised a 700Credit database for sale on Exploit and DarkForums, claiming approximately 8.4 million records and posting sample data, with an initial asking price of USD 2,500. The content states ROOTBOY referenced a failed extortion attempt under the alias GERMANIA, removed proof samples, and deleted posts after an auction, consistent with underground tradecraft. ROOTBOY's TOX ID was linked in the reporting to the underground identity avtokz, which had previously advertised a Vantage Finance database for sale in July 2025. The content does not support high-confidence attribution of ROOTBOY to a specific nation state.