Magniber
Magniber is a ransomware family commonly known as Magniber and closely associated with the Magnitude Exploit Kit, which has distributed it since 2017 as a replacement for Cerber.
Profile source: Mallory opens in a new tabMagniber
Family profile
Magniber is a ransomware family commonly known as Magniber and closely associated with the Magnitude Exploit Kit, which has distributed it since 2017 as a replacement for Cerber. Reported delivery vectors in the provided content include adult-themed malvertising campaigns targeting vulnerable Microsoft Windows and Internet Explorer users, exploitation of Internet Explorer and Windows vulnerabilities such as CVE-2021-26411 and CVE-2020-0986, exploitation of CVE-2019-1367 by Magnitude EK, fake software updates, and a signed AppX package masquerading as a Microsoft Edge update. The content also states that Magniber actors exploited Windows Mark-of-the-Web bypass CVE-2022-41091 and separately exploited CVE-2022-44698, and that ransomware groups including Magniber exploited Windows Print Spooler flaws CVE-2021-1675 and CVE-2021-34527 in the wild.
Behaviorally, Magniber enumerates logical drives, recursively encrypts selected file types, excludes certain folders and hidden, system, readonly, temporary, and virtual files, and drops ransom notes in affected folders as well as an additional note in %PUBLIC%, which it opens with notepad.exe. The current version described in the content generates per-file AES-128 keys and IVs locally using a custom PRNG and encrypts them with an embedded RSA public key. It also opens a victim-specific payment page and exfiltrates deployment metadata including encrypted-file counts, total encrypted size, encrypted-drive counts, total encountered files, Windows version, victim identifier, and Magniber version. It attempts to delete shadow copies using UAC bypass techniques involving CompMgmtLauncher.exe on older systems and ComputerDefaults.exe plus DelegateExecute on Windows 10. One reported bug affects files whose size is a multiple of 0x100000 bytes, potentially making them unrecoverable even for the attackers.
The content links Magniber strongly to South Korea and, at times, Taiwan and Japan, while earlier Magnitude campaigns also targeted Hong Kong, Singapore, the United States, and Malaysia. It is described as one of the most prevalent ransomware families in some telemetry, accounting for 62% of detected ransomware cases in one Q4 2024 report. Additional sample analysis in the content describes a Magniber-linked AppX package containing a .NET executable and an obfuscated DLL using manual syscalls, jump-heavy control flow, and behavior consistent with memory allocation and possible unpacking or injection. Indicators explicitly provided in the content include the AppX sample edge_update.appx; executable eediwjus.exe with SHA-256 ad4f74c0c3ac37e6f1cf600a96ae203c38341d263dbac0741e602686794c4f5a; DLL eediwjus.dll with SHA-256 f423bd6daae6c8002acf5c203267e015f7beb4c52ed54a78789dd86ab35e46c6; and Magnitude-related infrastructure examples such as binlo[.]info, fab9z1g6f74k.tooharm[.]xyz, 6za16cb90r370m4u1ez.burytie[.]top, bluegas[.]website, and pophot[.]website.
Ransomware.live
Operational record
Exploited software
Vulnerabilities linked to Magniber
8 CVEsMITRE ATT&CK
Magniber in ATT&CK
15 distinct techniquesReporting
Research mentioning Magniber
May 2026 Threat Trend Report on Ransomware - ASEC
The decline in detections since August 2023 was attributed to the suspension of Magniber’s distribution.
Internet Explorer CVE-2019-1367 In the wild Exploitation - prelude
Magnitude EK has been there since 2013, and known to drop very known ransomware families including: Locky, Cerber, Magniber, CryptoWall, GranCrab..
Move, Patch, Get Out the Way: 2022 Zero-Day Exploitation Continues at an Elevated Pace | Google Cloud Blog
"Open sources indicated that the Magniber ransomware group exploited CVE-2022-41091... Separately... exploited CVE-2022-44698..."
Sekoia.io mid-2023 Ransomware Threat Landscape
...Royal, Magniber and Revil were also previously reported to be spread via malvertising.
Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days
It was recently discovered as weaponized by the Magniber ransomware actor to target users with fake software updates.
Microsoft’s November 2022 Patch Tuesday Addresses 62 CVEs
Researchers at HP observed the Magniber ransomware group exploiting this vulnerability in the wild.
JSAC 2022 -Day 1-
Rintaro and Hajime gave an update on an exploit kit called Magnitude Exploit Kit observed in 2021 and the analysis results of ransomware called Magniber, which is executed by this kit.
Analyzing a Magnitude EK Appx Package Dropping Magniber | Tony Lambert
In this post I’ll work through analyzing an AppX package from Magnitude Exploit Kit that drops Magniber.