Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
MalwareRansomwareUsed by 1 actorExploits 1 CVE

Cerber

Cerber is a ransomware family and early ransomware-as-a-service (RaaS) operation active since at least 2016. Multiple sources in the content describe Cerber as a partnerka/RaaS platform operated by the actor "crbr," which distributed Cerber builds to affiliates in exchange for a share of ransom revenue. Affiliates were reported to spread Cerber through vectors including spam and malvertising, and Cerber was also delivered by the Magnitude exploit kit. Magnitude later replaced Cerber with Magniber in 2017.

The malware is primarily associated with file encryption and ransom-note delivery. Older Cerber variants are described as using the extension ".locked" and HTML ransom notes such as "$$RECOVERYREDME$$.html." Newer activity observed in late 2023 used the extension ".L0CK3D" and dropped text ransom notes named "read-me3.txt." Trend Micro identified the 2023 samples as Cerber based on strong similarity to older Cerber payment-site content and interface text, despite these note and extension differences.

Cerber has been observed using blockchain-related infrastructure in some versions. The content states that Cerber versions 4.1.0 and later used BlockCypher over HTTP to retrieve Bitcoin-address transaction information via api.blockcypher.com. This is explicitly contrasted with a separate .NET downloader that used Ethereum transaction data and was only noted as analogous to Cerber’s BlockCypher usage.

Recent reporting in the content links Cerber to exploitation of Atlassian Confluence vulnerability CVE-2023-22518. Trend Micro reported attackers exploiting this improper-authorization flaw in Confluence Data Center and Server to gain access, execute an encoded PowerShell downloader, retrieve and decrypt the payload, and encrypt files with the ".L0CK3D" extension while dropping "read-me3.txt" ransom notes. The same reporting also observed Linux bash scripts, including "bapo.sh," used to deploy a Linux Cerber variant. Separate reporting from Cado Security Labs describes a Linux Cerber variant also referred to as C3RB3R: attackers exploited CVE-2023-22518 to reset Confluence and create a new administrator account, deployed the Effluence web shell plugin for command execution, then staged heavily obfuscated UPX-packed 64-bit ELF Cerber payloads. Those payloads acted as a stager, attempted to create /var/lock/0init-ld.lo, contacted 45.145.6.112 to fetch additional components, logged to /tmp/log.0 and /tmp/log.1, searched for encryptable directories, dropped ransom notes, and encrypted files with the ".L0CK3D" extension. In default Confluence deployments, impact may be limited to files owned by the low-privilege "confluence" user, though the Confluence datastore can still be encrypted.

The content also mentions infrastructure associations: IP 194.165.16[.]80 was described as a repurposed Cobalt Strike C2 that also had recent Cerber ransomware samples as late as October 2023, and 194.165.16[.]64 and 194.165.16[.]92 were likewise reported as having been used by Cerber ransomware. More broadly, Cerber is repeatedly cited as a prominent ransomware family in historical reporting, including botnet-controller and ransomware trend analyses from 2016 and 2017.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2019-1367Scripting Engine Memory Corruption RCE in Internet ExplorerExploited in the wild

Google TAG Team discovered CVE-2019–1367 exploited in the wild by a threat actor... CVE-2019–1367 enables Remote Code Execution (RCE) in the context of Internet Explorer in all version from 8, 9, 10 and 11 due to a memory corruption in jscript.dll... Microsoft released a patch and encouraged users to disable jscript.dll.

via confiant blogblog.confiant.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
crbr

This method is used by ransomware strains like Cerber, operated by the threat actor crbr, who distributes builds of Cerber to the affiliates... These affiliates then spread Cerber themselves through vectors like spam or malvertising...

via recordedfuturerecordedfuture.com
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583Acquire InfrastructureEvidence1

It does not include other fraudulent infrastructure, such as payment sites for ransomware (TorrentLocker, Locky, Cerber etc) or malware distribution sites.

Initial Access

1 technique
T1566.002Spearphishing LinkEvidence1

These affiliates then spread Cerber themselves through vectors like spam or malvertising, and in return, earn a percentage of every ransom paid.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence3

This function used the public Ethereum API of “blockcypher.com” in order to get the last Transaction ID related of the hardcoded Ethereum address... The “blockcypher.com” Ethereum API is used again to retrieve the transaction information and the malicious URL is extracted from the JSON “script” field. | As part of our research into how cybercrime actors using the Ethereum blockchain for fraudulent means, we analyzed a DotNet downloader that retrieves the malicious payload from URLs stored inside Ethereum transactions.

T1105Ingress Tool TransferEvidence1

This method is used by ransomware strains like Cerber, operated by the threat actor crbr, who distributes builds of Cerber to the affiliates, or actors participating in the partnerka.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence1

While WannaCry might be seen as a failed operation from a financial perspective for the attackers ... the epidemic has raised the profile of ransomware; both to the general public and likely for the cybercriminal fraternity as well. Ransomware has already experienced great success ... because it simply works. People will pay ransom demands to get their encrypted files back.

INDICATORS OF COMPROMISE

IOCs tracked for this family

23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
16 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app8 months ago
ip.v4●●●●●●●●●●●●View more in app3 years ago
ip.v4●●●●●●●●●●●●View more in app3 years ago
hash.sha256●●●●●●●●●●●●View more in app7 years ago
hash.sha256●●●●●●●●●●●●View more in app7 years ago
hash.sha256●●●●●●●●●●●●View more in app7 years ago
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching23

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.