Magniber is a ransomware family commonly known as Magniber and closely associated with the Magnitude Exploit Kit, which has distributed it since 2017 as a replacement for Cerber. Reported delivery vectors in the provided content include adult-themed malvertising campaigns targeting vulnerable Microsoft Windows and Internet Explorer users, exploitation of Internet Explorer and Windows vulnerabilities such as CVE-2021-26411 and CVE-2020-0986, exploitation of CVE-2019-1367 by Magnitude EK, fake software updates, and a signed AppX package masquerading as a Microsoft Edge update. The content also states that Magniber actors exploited Windows Mark-of-the-Web bypass CVE-2022-41091 and separately exploited CVE-2022-44698, and that ransomware groups including Magniber exploited Windows Print Spooler flaws CVE-2021-1675 and CVE-2021-34527 in the wild.
Behaviorally, Magniber enumerates logical drives, recursively encrypts selected file types, excludes certain folders and hidden, system, readonly, temporary, and virtual files, and drops ransom notes in affected folders as well as an additional note in %PUBLIC%, which it opens with notepad.exe. The current version described in the content generates per-file AES-128 keys and IVs locally using a custom PRNG and encrypts them with an embedded RSA public key. It also opens a victim-specific payment page and exfiltrates deployment metadata including encrypted-file counts, total encrypted size, encrypted-drive counts, total encountered files, Windows version, victim identifier, and Magniber version. It attempts to delete shadow copies using UAC bypass techniques involving CompMgmtLauncher.exe on older systems and ComputerDefaults.exe plus DelegateExecute on Windows 10. One reported bug affects files whose size is a multiple of 0x100000 bytes, potentially making them unrecoverable even for the attackers.
The content links Magniber strongly to South Korea and, at times, Taiwan and Japan, while earlier Magnitude campaigns also targeted Hong Kong, Singapore, the United States, and Malaysia. It is described as one of the most prevalent ransomware families in some telemetry, accounting for 62% of detected ransomware cases in one Q4 2024 report. Additional sample analysis in the content describes a Magniber-linked AppX package containing a .NET executable and an obfuscated DLL using manual syscalls, jump-heavy control flow, and behavior consistent with memory allocation and possible unpacking or injection. Indicators explicitly provided in the content include the AppX sample edge_update.appx; executable eediwjus.exe with SHA-256 ad4f74c0c3ac37e6f1cf600a96ae203c38341d263dbac0741e602686794c4f5a; DLL eediwjus.dll with SHA-256 f423bd6daae6c8002acf5c203267e015f7beb4c52ed54a78789dd86ab35e46c6; and Magnitude-related infrastructure examples such as binlo[.]info, fab9z1g6f74k.tooharm[.]xyz, 6za16cb90r370m4u1ez.burytie[.]top, bluegas[.]website, and pophot[.]website.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
8 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Magnitude currently exploits an Internet Explorer memory corruption vulnerability, CVE-2021-26411, to get shellcode execution inside the renderer process... A fully functional exploit for CVE-2021-26411 can be found on the Internet and Magnitude uses that public exploit directly, just with some added obfuscation on top.
Magnitude currently exploits... a Windows memory corruption vulnerability, CVE-2020-0986, to subsequently elevate privileges... Magnitude escapes the EPM sandbox by exploiting CVE-2020-0986, a memory corruption vulnerability in splwow64.exe.
Google TAG Team discovered CVE-2019–1367 exploited in the wild by a threat actor... CVE-2019–1367 enables Remote Code Execution (RCE) in the context of Internet Explorer in all version from 8, 9, 10 and 11 due to a memory corruption in jscript.dll... Microsoft released a patch and encouraged users to disable jscript.dll.
Both vulnerabilities are remote code execution flaws (RCE) and have since been exploited in the wild by ransomware groups like Magniber and Vice Society.
Researchers at HP observed the Magniber ransomware group exploiting this vulnerability in the wild.
Rintaro and Hajime gave an update on an exploit kit called Magnitude Exploit Kit observed in 2021 and the analysis results of ransomware called Magniber, which is executed by this kit.
That vulnerability, the real PrintNightmare, later received the CVE identifier CVE-2021-34527 and an out-of-band patch. Both vulnerabilities are remote code execution flaws (RCE) and have since been exploited in the wild by ransomware groups like Magniber and Vice Society.
...Magniber group also exploited CVE-2022-44698, a different MoTW vulnerability, in October 2022, before the vulnerability was patched by Microsoft in December.
15 distinct techniques documented for this family, organized by ATT&CK tactic.
The attackers behind the Magnitude Exploit Kit are exploiting this momentum by running malicious ads that are currently shown only to South Korean Internet Explorer users. The ads can mostly be found on adult websites, which makes this an example of so-called adult malvertising.
Once a suitable target process is found, the shellcode jumps through the Heaven’s Gate and injects the payload into the target process using the following sequence of syscalls: NtOpenProcess -> NtCreateSection -> NtMapViewOfSection -> NtCreateThreadEx -> NtGetContextThread -> NtSetContextThread -> NtResumeThread.
Finally, Magniber attempts to delete shadow copies using a UAC bypass. It writes a command to delete them to HKCU\Software\Classes\mscfile\shell\open\command and then executes CompMgmtLauncher.exe... on Windows 10... writing the command to HKCU\Software\Classes\ms-settings\shell\open\command , creating a key named DelegateExecute there, and finally running ComputerDefaults.exe.
Once entering the function, the sample contains loads of jmp instructions that cause execution to bounce around to various points of the binary. This makes it hard for analysts to follow execution.
From the name Edge Update and publisher name Microsoft Inc, it appears the malware wants to masquerade as a Microsoft Edge browser update.
Once a suitable target process is found, the shellcode jumps through the Heaven’s Gate and injects the payload into the target process using the following sequence of syscalls: NtOpenProcess -> NtCreateSection -> NtMapViewOfSection -> NtCreateThreadEx -> NtGetContextThread -> NtSetContextThread -> NtResumeThread.
Finally, Magniber attempts to delete shadow copies using a UAC bypass.
If the integrity level is Low or Untrusted, the shellcode reaches out to the first URL and downloads an encrypted LPE exploit from there... if the integrity level is Medium or higher... it downloads the final payload (currently Magniber ransomware) from the second URL.
Magniber also automatically opens up the payment page in the victim’s browser and while doing so, exfiltrates further information about the ransomware deployment through the URL, such as: The number of encrypted files, The total size of all encrypted files, The number of encrypted logical drives...
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware whose distribution suspension was linked to a decline in detections.
A ransomware family mentioned as one of the payloads delivered by Magnitude Exploit Kit.
Ransomware referenced as previously distributed via malvertising campaigns.
Ransomware operation reported as weaponizing a Windows Mark-of-the-Web (MoTW) security feature bypass to target users via fake software update lures.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.