{
	"id": "da6c242a-5116-47e9-8a8b-262915eb5d78",
	"created_at": "2026-04-06T00:11:44.528249Z",
	"updated_at": "2026-04-10T13:12:59.922033Z",
	"deleted_at": null,
	"sha1_hash": "3b9d0ba932892b82375b47f066be5f8b1fafb61a",
	"title": "Magniber Ransomware Caught Using PrintNightmare Vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 545825,
	"plain_text": "Magniber Ransomware Caught Using PrintNightmare\r\nVulnerability\r\nBy Liviu Arsene\r\nArchived: 2026-04-05 22:33:11 UTC\r\n2017 Magniber ransomware makes a comeback using the same methods: exploiting unpatched\r\nvulnerabilities on South Korean victims\r\nIn July 2021, CrowdStrike identified Magniber ransomware attempting to use a known PrintNightmare\r\nvulnerability to compromise victims\r\nCrowdStrike detects and protects against both the exploitation of the PrintNightmare vulnerability and the\r\nMagniber ransomware\r\nCrowdStrike recently observed new activity related to a 2017 ransomware family, known as Magniber, using the\r\nPrintNightmare vulnerability on victims in South Korea. On July 13, CrowdStrike successfully detected and\r\nprevented attempts at exploiting the PrintNightmare vulnerability, protecting customers before any encryption\r\ntakes place. When the PrintNightmare (CVE-2021-34527) vulnerability was disclosed, CrowdStrike intelligence\r\nassessed the vulnerability will likely be used by threat actors as it allowed for possible remote code execution\r\n(RCE) and local privilege escalation (LPE). This assessment proved accurate in light of the recent incident. Using\r\nmitigations that target the tactics and techniques used by adversaries to compromise endpoints, the CrowdStrike\r\nFalcon® platform provides layered coverage against threats by using machine learning (on-sensor and in the\r\ncloud) and indicators of attack (IOAs) to identify malicious processes or files associated with known or unknown\r\nthreats.\r\nA Timeline for the PrintNightmare Vulnerability\r\nJune 8, 2021: The PrintNightmare (CVE-2021-1675) vulnerability was initially discovered and reported to\r\nMicrosoft on June 8, by security researchers working for three different companies. Their research involved\r\nattempting to bypass a previous patch addressing the “PrintDemon” (CVE-2020-1048) vulnerability.\r\nJune 21, 2021: While Microsoft released a patch for CVE-2021-1675, as part of Microsoft’s June 2021 Patch\r\nTuesday, no additional information regarding how to exploit the vulnerability was made public. At the time, it was\r\nbelieved the vulnerability could only be exploited by a locally authenticated user. However, the vulnerability was\r\nelevated to Critical on June 21 by Microsoft, as it was determined it could allow for RCE. June 29, 2021:\r\nIndependently, one of three additional security researchers investigating a similar bug in the Windows Print\r\nSpooler service inadvertently published a proof of concept (POC) exploiting the (CVE-2021-1675) vulnerability\r\non a GitHub repository, on June 29. While the error was shortly corrected, the GitHub repo was reportedly forked\r\nand the POC made it into the wild, potentially leading to abuse by attackers. July 1, 2021: Although Microsoft\r\naddressed the CVE-2021-1675 vulnerability by issuing a patch, the leaked POC exploited a different attack vector\r\nthat triggered the Print Spooler vulnerability. As of July 1, several different proof of concepts exploiting the\r\nPrinter Spooler vulnerability were made public. Consequently, a second CVE (CVE-2021-34527) was created on\r\nhttps://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/\r\nPage 1 of 5\n\nJuly 1, with Microsoft stating that “CVE-2021-1675 is similar but distinct from CVE-2021-34527.” July 6, 2021:\r\nOn July 6, Microsoft issued an out-of-band (OOB) update attempting to mitigate the CVE-2021-34527\r\nvulnerability, but hours later security researchers found that it was again possible to bypass imposed mitigations\r\nunder certain conditions. Popular exploit tools, such as Metasploit and Mimikatz, started incorporating the exploit\r\ncode, paving the way for adversary weaponization of a yet unpatched vulnerability.\r\nA Primer on Magniber Ransomware\r\nMagniber ransomware was first spotted in late 2017 targeting victims in South Korea through malvertising\r\ncampaigns using the Magnitude Exploit Kit (EK). Previous Magniber campaigns went through significant efforts\r\nto only infect victims in South Korea, although in mid-2018 it was also spotted targeting victims in other Asia\r\nPacific countries.\r\nMagnitude Exploit Kit (EK) operators initially used the Cerber ransomware exclusively before turning to\r\nMagniber, which is believed to be the successor of Cerber. The most popular infection vector for Magniber\r\ninvolved the use of unpatched vulnerabilities, such as Internet Explorer exploits (CVE-2018-8174, CVE-2021-\r\n26411, CVE-2020-0968, CVE-2019-1367) or Flash (CVE-2018-8174) vulnerabilities, infecting victims through\r\ncompromised websites or drive-by downloads.\r\nWhile the Magniber ransomware only seems to target the Republic of Korea, it has been active since 2017. Our\r\nFalcon OverWatch™ team also spotted more recent activity from Magniber in early February 2021, exploiting an\r\nInternet Explorer vulnerability (CVE-2020-0968) to exclusively compromise South Korean victims. Magniber\r\nwas under active development to include new obfuscation features, evasion tactics and encryption mechanisms\r\nthat made the encryption more robust, showing up in sporadic campaigns over the years. Its developers also went\r\nthrough a significant effort to limit infections to Asia Pacific countries by including various language checks.\r\nThe new incident involving Magniber ransomware using the recent PrintNightmare Printer Spooler vulnerability\r\nis surprising, but not uncommon considering the impact of the vulnerability. Several POCs have been in\r\ncirculation since the issue was reported, and it was only a matter of time until adversaries attempted to leverage it\r\nto compromise victims and deliver malicious payloads.\r\nThe Falcon OverWatch team constantly hunts for adversary attempts trying to exploit the PrintNightmare\r\nvulnerability and recently spotted an endeavor to exploit it. A malicious dll was written to the folder\r\n\\Device\\HarddiskVolume2\\Windows\\System32\\spool\\DRIVERS\\x64\\3\\New\\ after which it was loaded into the\r\nspoolsv.exe process. The DLL itself is associated with the Magniber ransomware and is responsible for\r\ndeobfuscating the core ransomware DLL and injecting it into a remote process.\r\nOur IOA coverage that we released as part of the PrintNightmare research successfully triggers due to this action,\r\nand prevents this operation, as seen in the screenshot below.\r\nhttps://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/\r\nPage 2 of 5\n\nCrowdStrike’s behavior-based detection using IOAs successfully prevented the core ransomware DLL from being\r\ninjected, thwarting the malicious activity before any encryption took place on the endpoint.\r\nAnalyzing the behavior of the malicious ransomware sample reveals the same Magniber behavior observed in the\r\npast by CrowdStrike security researchers: exploiting a vulnerability, dropping an obfuscated DLL loader, injecting\r\nthe loader into a process and then unpacking the cored DLL loader that performs local file traversal and\r\nencryption — which is on par with the known Magniber modus operandi.\r\nThe dropped ransom note does not reveal anything new about the operators behind this incident or the ransom\r\npayment amount. Instead, it provides instructions on contacting the ransomware operators for potential negotiation\r\nhttps://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/\r\nPage 3 of 5\n\nand warns victims they have a limited amount of time to contact them for decryption before the links expire.\r\nCrowdStrike Falcon® Protection\r\nCrowdStrike Falcon® takes a layered approach to protecting endpoints that are most valuable to organizations by\r\nemploying machine learning and behavior-based protection. The critical Windows Print Spooler vulnerability,\r\nPrintNightmare, is something that potentially affects all Windows hosts, which is why CrowdStrike customers are\r\nencouraged to review their prevention policies in accordance with best practices and get Falcon Spotlight™\r\nvulnerability management to identify risks related to this. If you are not a customer, you can start a free trial of\r\nFalcon Spotlight today.\r\nCrowdStrike Falcon® leverages machine learning and IOAs to identify malicious behavior of processes or files\r\nwhen dealing with new or unknown threats. This video\r\ndemonstrates Falcon’s capabilities to successfully detect and block the Magniber ransomware DLL. First, learn\r\nhow Falcon detects Magniber DLL using cloud machine learning written to disk and when injected into a remote\r\nprocess. Then, see a demo of Falcon’s ability to block the Magniber ransomware, when all prevention and\r\nprotection policies are enabled according to best practices. The Falcon sensor immediately blocks the malicious\r\nMagniber behavior, protecting the endpoint. CrowdStrike continuously monitors the tactics, techniques and\r\nprocedures (TTPs) associated with over 160 identified threat actors and numerous unnamed groups and threats,\r\nand incorporates that intelligence into the Falcon platform. CrowdStrike estimates that the PrintNightmare\r\nvulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat\r\nactors. We encourage organizations to always apply the latest patches and security updates to mitigate known\r\nvulnerabilities and adhere to security best practices to strengthen their security posture against threats and\r\nsophisticated adversaries.\r\nIndicators of Compromise (IOCs)\r\nhttps://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/\r\nPage 4 of 5\n\nAdditional Resources\r\nLearn how Falcon Spotlight can help you discover and manage vulnerabilities within your organization.\r\nWatch how to use Falcon Spotlight and Falcon Real Time Response (RTR) for emergency patching.\r\nVisit the CrowdStrike Falcon® Identity Protection solutions webpage.\r\nRequest a demo of CrowdStrike Falcon® Zero Trust or Falcon Identity Threat Detection products.\r\nSource: https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/\r\nhttps://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/"
	],
	"report_names": [
		"magniber-ransomware-caught-using-printnightmare-vulnerability"
	],
	"threat_actors": [],
	"ts_created_at": 1775434304,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b9d0ba932892b82375b47f066be5f8b1fafb61a.pdf",
		"text": "https://archive.orkl.eu/3b9d0ba932892b82375b47f066be5f8b1fafb61a.txt",
		"img": "https://archive.orkl.eu/3b9d0ba932892b82375b47f066be5f8b1fafb61a.jpg"
	}
}