Skip to content
Ransomware group

Magniber

Magniber is a ransomware family commonly known as Magniber and closely associated with the Magnitude Exploit Kit, which has distributed it since 2017 as a replacement for Cerber.

Profile source: Mallory opens in a new tab

Magniber

Family profile

Magniber is a ransomware family commonly known as Magniber and closely associated with the Magnitude Exploit Kit, which has distributed it since 2017 as a replacement for Cerber. Reported delivery vectors in the provided content include adult-themed malvertising campaigns targeting vulnerable Microsoft Windows and Internet Explorer users, exploitation of Internet Explorer and Windows vulnerabilities such as CVE-2021-26411 and CVE-2020-0986, exploitation of CVE-2019-1367 by Magnitude EK, fake software updates, and a signed AppX package masquerading as a Microsoft Edge update. The content also states that Magniber actors exploited Windows Mark-of-the-Web bypass CVE-2022-41091 and separately exploited CVE-2022-44698, and that ransomware groups including Magniber exploited Windows Print Spooler flaws CVE-2021-1675 and CVE-2021-34527 in the wild.

Behaviorally, Magniber enumerates logical drives, recursively encrypts selected file types, excludes certain folders and hidden, system, readonly, temporary, and virtual files, and drops ransom notes in affected folders as well as an additional note in %PUBLIC%, which it opens with notepad.exe. The current version described in the content generates per-file AES-128 keys and IVs locally using a custom PRNG and encrypts them with an embedded RSA public key. It also opens a victim-specific payment page and exfiltrates deployment metadata including encrypted-file counts, total encrypted size, encrypted-drive counts, total encountered files, Windows version, victim identifier, and Magniber version. It attempts to delete shadow copies using UAC bypass techniques involving CompMgmtLauncher.exe on older systems and ComputerDefaults.exe plus DelegateExecute on Windows 10. One reported bug affects files whose size is a multiple of 0x100000 bytes, potentially making them unrecoverable even for the attackers.

The content links Magniber strongly to South Korea and, at times, Taiwan and Japan, while earlier Magnitude campaigns also targeted Hong Kong, Singapore, the United States, and Malaysia. It is described as one of the most prevalent ransomware families in some telemetry, accounting for 62% of detected ransomware cases in one Q4 2024 report. Additional sample analysis in the content describes a Magniber-linked AppX package containing a .NET executable and an obfuscated DLL using manual syscalls, jump-heavy control flow, and behavior consistent with memory allocation and possible unpacking or injection. Indicators explicitly provided in the content include the AppX sample edge_update.appx; executable eediwjus.exe with SHA-256 ad4f74c0c3ac37e6f1cf600a96ae203c38341d263dbac0741e602686794c4f5a; DLL eediwjus.dll with SHA-256 f423bd6daae6c8002acf5c203267e015f7beb4c52ed54a78789dd86ab35e46c6; and Magnitude-related infrastructure examples such as binlo[.]info, fab9z1g6f74k.tooharm[.]xyz, 6za16cb90r370m4u1ez.burytie[.]top, bluegas[.]website, and pophot[.]website.

Ransomware.live

Operational record

View group record ↗

Exploited software

Vulnerabilities linked to Magniber

8 CVEs

MITRE ATT&CK

Magniber in ATT&CK

15 distinct techniques

Reporting

Research mentioning Magniber

Jun 18
Ahnlab Asec

May 2026 Threat Trend Report on Ransomware - ASEC

The decline in detections since August 2023 was attributed to the suspension of Magniber’s distribution.

Apr 14
Confiant

Internet Explorer CVE-2019-1367 In the wild Exploitation - prelude

Magnitude EK has been there since 2013, and known to drop very known ransomware families including: Locky, Cerber, Magniber, CryptoWall, GranCrab..

Mar 25
Mandiant Threat Intelligence

Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace | Google Cloud Blog

"Open sources indicated that the Magniber ransomware group exploited CVE-2022-41091... Separately... exploited CVE-2022-44698..."

Sep 14
Sekoia

Sekoia.io mid-2023 Ransomware Threat Landscape

...Royal, Magniber and Revil were also previously reported to be spread via malvertising.

Nov 9
The Hacker News

Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days

It was recently discovered as weaponized by the Magniber ransomware actor to target users with fake software updates.

Nov 8
Tenable

Microsoft’s November 2022 Patch Tuesday Addresses 62 CVEs

Researchers at HP observed the Magniber ransomware group exploiting this vulnerability in the wild.

Mar 22
Jpcert

JSAC 2022 -Day 1-

Rintaro and Hajime gave an update on an exploit kit called Magnitude Exploit Kit observed in 2021 and the analysis results of ransomware called Magniber, which is executed by this kit.

Jan 2
Forensicitguy

Analyzing a Magnitude EK Appx Package Dropping Magniber | Tony Lambert

In this post I’ll work through analyzing an AppX package from Magnitude Exploit Kit that drops Magniber.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.