{ "id": "eb2ae2b8-bb3b-4675-89a8-6d6d3eb32e13", "created_at": "2026-04-06T00:18:30.803954Z", "updated_at": "2026-04-10T03:36:48.455283Z", "deleted_at": null, "sha1_hash": "46206be900ca601a5c0b90f90a1ff46e8185d48a", "title": "Magniber ransomware gang now exploits Internet Explorer flaws in attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2233164, "plain_text": "Magniber ransomware gang now exploits Internet Explorer flaws in\r\nattacks\r\nBy Bill Toulas\r\nPublished: 2021-11-11 · Archived: 2026-04-05 16:46:49 UTC\r\nThe Magniber ransomware gang is now using two Internet Explorer vulnerabilities and malicious advertisements to infect\r\nusers and encrypt their devices.\r\nThe two Internet Explorer vulnerabilities are tracked as CVE-2021-26411 and CVE-2021-40444, with both having a CVSS\r\nv3 severity score of 8.8.\r\nThe first one, CVE-2021-26411, was fixed in March 2021 and is a memory corruption flaw triggered by viewing a specially\r\ncrafted website.\r\nhttps://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nThe second flaw, CVE-2021-40444, is a remote code execution in IE’s rendering engine triggered by the opening of a\r\nmalicious document.\r\nAttackers exploited CVE-2021-40444 as a zero-day before Microsoft fixed it in September 2021.\r\nMagniber shifting focus\r\nThe Magniber gang is known for its use of vulnerabilities to breach systems and deploy their ransomware.\r\nIn August, Magniber was observed exploiting 'PrintNightmare' vulnerabilities to breach Windows servers, which took\r\nMicrosoft a while to address due to their impact on printing.\r\nThe most recent Magniber activity focuses on exploiting Internet Explorer vulnerabilities using malvertising that pushes\r\nexploit kits, as confirmed by Tencent Security researchers who identified \"fresh\" payloads.\r\nOne possible explanation for this shift is that Microsoft has largely fixed the 'PrintNightmare' vulnerabilities over the past\r\nfour months and was heavily covered by the media, pushing admins to deploy security updates.\r\nAnother reason why Magniber may have turned to Internet Explorer flaws is that they are relatively easy to trigger, relying\r\nsolely upon stimulating the recipient's curiosity to open a file or webpage.\r\nIt may seem strange to target an old unpopular browser like Internet Explorer. However, StatCounter shows that 1.15% of\r\nthe global page views are still from IE.\r\nWhile this is a low percentage, StatCounter tracks over 10 billion page views per month, which equates to 115,000,000\r\npages views by users of Internet Explorer.\r\nFurthermore, it is much harder to target Firefox and Chromium-based browsers, such as Google Chrome and Microsoft\r\nEdge, as they utilize an auto-update mechanism that quickly protects users from known vulnerabilities.\r\nThreat to Asian firms\r\nMagniber started in 2017 as the successor to the Cerber ransomware, and initially, it only infected users from South Korea.\r\nThe group then widened their targeting scope and began infecting Chinese (including Taiwan and Hong Kong), Singaporean,\r\nand Malaysian systems as well.\r\nhttps://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/\r\nPage 3 of 5\n\nMagniber ransom note\r\nThis scope has solidified, and today, Magniber is a nuisance almost exclusively for Asian companies and organizations.\r\nSince its launch, the Magniber ransomware has been under very active development, and its payload has been completely\r\nrewritten three times.\r\nAt this time, it remains uncracked, so there's no decryptor to help you restore any files that have been encrypted with this\r\nstrain.\r\nFinally, Magniber isn't following the trend of file-stealing and double-extortion, so the damage of their attacks is limited to\r\nfile encryption.\r\nAs such, taking regular backups on secured, isolated systems is a very effective way to deal with this particular threat.\r\nhttps://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks/" ], "report_names": [ "magniber-ransomware-gang-now-exploits-internet-explorer-flaws-in-attacks" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434710, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/46206be900ca601a5c0b90f90a1ff46e8185d48a.pdf", "text": "https://archive.orkl.eu/46206be900ca601a5c0b90f90a1ff46e8185d48a.txt", "img": "https://archive.orkl.eu/46206be900ca601a5c0b90f90a1ff46e8185d48a.jpg" } }