{
	"id": "ac5dc9c7-3b94-4d85-a630-da8efd6f0951",
	"created_at": "2026-04-06T00:09:32.211478Z",
	"updated_at": "2026-04-10T03:34:18.772096Z",
	"deleted_at": null,
	"sha1_hash": "60433dd8702a2f1705ba036f14c37526d4dc3404",
	"title": "Threat Analysis Report: PrintNightmare and Magniber Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 878079,
	"plain_text": "Threat Analysis Report: PrintNightmare and Magniber\r\nRansomware\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-05 23:19:44 UTC\r\nThe Cybereason Global Security Operations Center (GSOC) issues Cybereason Threat Analysis reports to inform\r\non impacting threats. The Threat Analysis reports investigate these threats and provide practical recommendations\r\nfor protecting against them.\r\nIn this Threat Analysis Report, the Cybereason GSOC Team investigates infections with a recent version of the\r\nMagniber ransomware in which the initial attack vector against the compromised systems is the exploitation of the\r\nnotorious PrintNightmare vulnerability described in CVE-2021-34527.\r\nKey Findings\r\nCritical Vulnerabilities: CVE-2021-34527 and CVE-2021-34481 are critical, remotely exploitable vulnerabilities\r\nin the Windows Print Spooler service that allow attackers to execute arbitrary code with administrative privileges\r\non target systems. The vulnerabilities exist in the Point and Print capability on Windows systems and allow non-privileged users to install or update remote printers. CVE-2021-34527 and CVE-2021-34481 are collectively\r\nreferred to as PrintNightmare.\r\nSignificant Ransomware Threat to Corporate Networks: Shortly after the public disclosure of PrintNightmare\r\nCVE-2021-34527, malicious actors started exploiting this vulnerability. Ransomware groups find PrintNightmare\r\nparticularly attractive:\r\nPrintNightmare enables attackers to execute arbitrary code with administrative privileges.\r\nCVE-2021-34527 exists in the Point and Print Windows capability, which many large corporate\r\nnetworks actively use. Ransomware groups typically target large corporate networks. Further, these\r\nlarge corporate networks often have many non-privileged users who use remote printers.\r\nThe Magniber Ransomware and PrintNightmare: Malicious actors deploy the Magniber ransomware on\r\ncompromised systems by exploiting PrintNightmare CVE-2021-34527. The Magniber ransomware is\r\ncontinuously under active development, with frequent significant code changes and improvements to obfuscation\r\nfeatures, evasion tactics, and encryption mechanisms. \r\nDetected and Prevented: The Cybereason Defense Platform detects and prevents the Magniber ransomware.\r\nCybereason Managed Detection and Response (MDR): The Cybereason GSOC has zero tolerance towards\r\nattacks that involve ransomware groups, such as Magniber, and categorizes such attacks as critical, high-severity\r\nincidents. The Cybereason GSOC MDR team issues a comprehensive report to customers when such an incident\r\noccurs. The report provides an in-depth overview of the incident, which helps to scope the extent of compromise\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 1 of 19\n\nand the impact on the customer’s environment. In addition, the report provides attribution information when\r\npossible as well as recommendations for mitigating and isolating the threat.\r\nIntroduction\r\nPrintNightmare CVE-2021-34527 is a critical vulnerability in the Windows Print Spooler service that allows\r\nattackers to execute arbitrary code with administrative privileges on target systems. An adversary who\r\nsuccessfully exploits CVE-2021-34527 could achieve full control over a target system by executing, for example,\r\na dynamic link library (DLL) or a Windows executable with administrative privileges.\r\nThe CVE-2021-34527 vulnerability exists in the Point and Print capability of Windows systems, which allows\r\nnon-privileged users to install or update remote printers, without disks or other installation media, by establishing\r\na connection to a remote printer. \r\nFollowing the public disclosure of the CVE-2021-34527 vulnerability on July 1, 2021, Microsoft released an Out-of-Band Security Update addressing the vulnerability on July 6, 2021. Then, on July 15, 2021, Microsoft publicly\r\ndisclosed another critical vulnerability in the Print Spooler service: CVE-2021-34481. As with CVE-2021-34527,\r\nthis vulnerability exists in the Point and Print capability and allows non-privileged users to execute arbitrary code\r\nwith administrative privileges.\r\nDue to their similarities, CVE-2021-34527 and CVE-2021-34481 are now collectively referred to as\r\nPrintNightmare. To address the PrintNightmare vulnerabilities, Microsoft released an update on August 10, 2021\r\nthat modifies the behavior of Point and Print such that non-privileged users cannot install or update printers.\r\nShortly after the public disclosure of PrintNightmare CVE-2021-34527, malicious actors started exploiting the\r\nvulnerability. Ransomware groups find PrintNightmare particularly attractive because this vulnerability enables\r\nthe execution of arbitrary code with administrative privileges.\r\nIn addition, the PrintNightmare vulnerabilities exist in the Windows Point and Print capability, which is actively\r\nused in large corporate networks, which are frequent targets of ransomware groups and where the use of remote\r\nprinters by non-privileged users is common.\r\nFor example, the ransomware groups Vice Society and Magniber actively exploited CVE-2021-34527 to deploy\r\nransomware shortly after the public disclosure of the vulnerability. Ransomware groups often exploit newly\r\ndisclosed vulnerabilities to deploy ransomware before vendors publicly release patches.\r\nThreat researchers first observed the Magniber ransomware on compromised systems in 2017. At that time,\r\nmalicious actors delivered Magniber primarily via the Magnitude exploit kit, which had often been used for\r\ndelivering the Cerber, Locky, and Cryptowall ransomware.\r\nEarly versions of the Magniber ransomware targeted only Korean systems, since the ransomware only executed on\r\noperating systems where the system language was set to Korean. However, the Magniber ransomware is\r\ncontinuously under active development, with frequent significant code changes and improvements to obfuscation\r\nfeatures, evasion tactics, and encryption mechanisms.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 2 of 19\n\nMore recent implementations of the Magniber ransomware do not restrict the ransomware to Korean systems or to\r\nany specific geographical region. The Magniber ransomware may be executed on any system, irrespective of the\r\nsystem’s geographical location.\r\nPrintNightmare and Magniber Ransomware Analysis\r\nPrintNightmare CVE-2021-34527 is present in the Windows Print Spooler service, which executes as the\r\nspoolsv.exe process in Windows systems. An adversary who successfully exploits CVE-2021-34527 could achieve\r\nfull control over a target system by executing arbitrary code, such as a dynamic link library (DLL) or a Windows\r\nexecutable, with administrative privileges.\r\nThe adversary must be authenticated to the Print Spooler service to take advantage of CVE-2021-34527. The\r\nRpcAddPrinterDriverEx function, implemented in the Print Spooler service, allows authenticated users to deploy\r\narbitrary DLLs or Windows executables on systems where the Print Spooler service runs and execute these files\r\nwith administrative (SYSTEM) privileges. According to the CERT Coordination Center at Carnegie Mellon\r\nUniversity:\r\nThe RpcAddPrinterDriverEx() function is used to install a printer driver on a system. One of the parameters to this\r\nfunction is the DRIVER_CONTAINER object, which contains information about which driver is to be used by the\r\nadded printer. The other argument, dwFileCopyFlags, specifies how replacement printer driver files are to be\r\ncopied. An attacker can take advantage of the fact that any authenticated user can call RpcAddPrinterDriverEx()\r\nand specify a driver file that lives on a remote server. This results in the Print Spooler service spoolsv.exe\r\nexecuting code in an arbitrary DLL file with SYSTEM privileges.\r\nWhen an adversary exploits CVE-2021-34527, the Print Spooler service writes any attacker-provided DLL in the\r\n%SYSTEM%\\System32\\spool\\drivers\\ directory (for example, in C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New).\r\nThe vulnerable Print Spooler service (spoolsv.exe) then loads and executes the attacker-provided DLL with\r\nadministrative privileges.\r\nThe actors behind the Magniber ransomware distribute the ransomware in the form of a Windows DLL file. They\r\ntake advantage of CVE-2021-34527 to deploy and execute this DLL file on compromised systems. By exploiting\r\nCVE-2021-34527, adversaries write the DLL file of the Magniber ransomware in the\r\n%SYSTEM%\\System32\\spool\\drivers\\ directory (for example, in C:\\Windows\\System32\\spool\\drivers\\x64\\3\\New)\r\nand execute it in the context of the Print Spooler service:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 3 of 19\n\nThe Print Spooler service writes the attacker-provided calc.dll file (the DLL that implements the Magniber\r\nransomware) when malicious actors exploit CVE-2021-34527\r\nThe following chart provides an overview of the operation of the Magniber ransomware, implemented as a 64-bit\r\nDLL, referred to as Magniber DLL:\r\nOverview of the operation of the Magniber ransomware\r\nWhen executed in the context of spoolsv.exe, the Magniber ransomware first unpacks code stored in its data\r\nsection. The ransomware then enumerates all running processes on the compromised system to identify processes\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 4 of 19\n\nin which the ransomware can inject the unpacked code. Magniber injects the unpacked code into each process that\r\nfulfills the following criteria:\r\nThe name of the process is not iexplore.exe.\r\nThe process integrity level is less than SYSTEM.\r\nThe process is not running in the WoW64 environment. WoW64 is a subsystem of the Windows\r\noperating system that enables the execution of 32-bit applications on 64-bit Windows operating\r\nsystems.\r\nMagniber also executes the unpacked code in the context of spoolsv.exe itself as a backup mechanism that\r\nguarantees the execution of the code if the ransomware cannot inject the code into a process.\r\nTo inject the unpacked code into a process, the Magniber ransomware invokes the following sequence of\r\nWindows system calls: \r\nNtCreateSection: The Magniber ransomware creates a new memory section that has RWX\r\n(read/write/execute) protection. \r\nNtMapViewOfSection: Magniber maps the memory section in the virtual address space of the\r\nprocess in which the ransomware executes (i.e., spoolsv.exe) with RWX (read/write/execute)\r\nprotection. The ransomware then writes the unpacked code into the mapped memory section.\r\nNtMapViewOfSection: Magniber maps the memory section in the virtual address space of the\r\nprocess in which the ransomware injects code (for example, sihost.exe) with RWX protection. The\r\ncode that Magniber has written in the memory section mapped in the virtual address space of\r\nspoolsv.exe is now mirrored (i.e., injected) in the memory section mapped in the virtual address\r\nspace of sihost.exe. \r\nNtCreateThreadEx: Magniber creates a thread in the context of sihost.exe, also known as a remote\r\nthread, and then suspends the execution of that thread.\r\nNtGetContextThread: Magniber retrieves the context of the newly created remote thread. Thread\r\ncontext is data related to the operation of the thread, which includes the values of the registers\r\nassociated with the thread, such as the thread’s instruction pointer register (rip).\r\nNtSetContextThread: Magniber sets the value of the remote thread’s rip to the virtual address at\r\nwhich the memory section is mapped in the virtual address space of sihost.exe. This causes the\r\nremote thread to execute the code stored in this memory section when the thread resumes execution.\r\nNtResumeThread: Magniber resumes the execution of the remote thread. This executes the injected\r\ncode in the context of sihost.exe.\r\nThe Magniber ransomware does not execute Windows system calls by invoking functions implemented in the\r\nDLL file ntdll.dll for that purpose, such as NtCreateSection or NtMapViewOfSection. Instead, the ransomware\r\ninvokes assembly code that first switches the execution context to the kernel and then executes the system call\r\nroutines implemented as part of the kernel, a technique known as direct system call execution. This technique is\r\nused to avoid detection by security mechanisms that monitor Windows system call execution via hooks in\r\nntdll.dll. \r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 5 of 19\n\nTo directly execute a system call, the Magniber ransomware allocates a memory region in its virtual address space\r\nand stores in this region the assembly language opcodes that conduct the direct execution of the system call in\r\nWindows systems. The ransomware then executes the content of the memory region, therefore directly executing\r\nthe system call. \r\nOn 64-bit Windows systems, direct system call execution involves storing the system call identification number\r\n(system call ID, a number that uniquely identifies the system call) in the eax register and then invoking the syscall\r\ninstruction. The system call ID of a specific system call may differ for different releases and builds of Windows\r\nsystems.\r\nTo use the correct system call ID when directly executing a given system call, the Magniber ransomware\r\ndifferentiates between Windows releases (for example, Windows 10 or pre-Windows 10 systems, such as\r\nWindows 7), down to specific build numbers (for example, Windows 10 build 18363 or build 17763):\r\nThe Magniber ransomware conducts direct system call execution (direct execution of the NtCreateSection system\r\ncall)\r\nOnce injected and executed in the context of a remote thread, the code first unpacks itself and then executes a\r\ncode segment. This code segment, referred to as the Magniber ransomware for simplicity, first creates and locks a\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 6 of 19\n\nmutex object named, for example, zarkzonn or dihlxbl, to ensure that only one instance of the Magniber\r\nransomware runs at a time.\r\nThis technique also prevents redundant executions of the same code injected into other processes. The name of the\r\nmutex object is different for different versions of the Magniber ransomware.\r\nThe Magniber ransomware then builds a string based on the computer name of the compromised system and the\r\nserial number of a volume present on the system. The ransomware then appends the name of the mutex object to\r\nthis string. The resulting string is specific to the compromised system and is called the compromised system\r\nidentifier.\r\nMagniber then enumerates drives with removable and fixed media that are attached to the compromised system, as\r\nwell as remote drives. These are drives for which the Windows Application Programming Interface (API) function\r\nGetDriveTypeW returns 0x2 (DRIVE_REMOVABLE), 0x3 (DRIVE_FIXED), or 0x4 (DRIVE_REMOTE), such as\r\nhard disks or network shares. For each such drive, the Magniber ransomware conducts file enumeration and\r\nencryption in two phases. \r\nIn the first phase, Magniber encrypts files that the ransomware considers higher encryption priority. These files\r\nhave one of 714 file name extensions, and include .doc and .xls. In the second phase, Magniber encrypts files that\r\nare of lower encryption priority. These files have one of 33 file name extensions, and include .zip and .swf. As an\r\nanti-analysis technique, the Magniber ransomware stores an obfuscated form of the file name extensions of files of\r\nhigher and lower encryption priority in its context.\r\nFile name extensions in obfuscated form\r\nIn both phases, the Magniber ransomware encrypts only files that are allowlisted for encryption. Magniber does\r\nnot encrypt the following files:\r\nFiles that have no file name extensions.\r\nFiles stored in the following directories: Documents and Settings, Winnt, AppData, Local Settings,\r\nSample Music, Sample Pictures, Sample Videos, Tor Browser, Recycle, Windows, Boot, Intel,\r\nMsocache, Perflogs, Program Files, ProgramData, Recovery, and System Volume Information.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 7 of 19\n\nFiles stored in directories \r\nfor which the Windows API function GetFileAttributesW returns\r\nFILE_ATTRIBUTE_SYSTEM, FILE_ATTRIBUTE_HIDDEN, or FILE_ATTRIBUTE_ENCRYPTED.\r\nFiles for which the Windows API function GetFileAttributesW returns\r\nFILE_ATTRIBUTE_SYSTEM, FILE_ATTRIBUTE_HIDDEN, FILE_ATTRIBUTE_READONLY,\r\nFILE_ATTRIBUTE_TEMPORARY, or FILE_ATTRIBUTE_VIRTUAL.\r\nFile or Directory Attribute Description\r\nFILE_ATTRIBUTE_SYSTEM A file or directory that the Windows operating system uses.\r\nFILE_ATTRIBUTE_HIDDEN A hidden file or directory.\r\nFILE_ATTRIBUTE_ENCRYPTED\r\nA file that the Encrypted Filesystem (EFS) encrypts, or a directory in\r\nwhich the EFS encrypts every new file.\r\nFILE_ATTRIBUTE_READONLY A read-only file.\r\nFILE_ATTRIBUTE_TEMPORARY A file used for temporary storage.\r\nFILE_ATTRIBUTE_VIRTUAL A file reserved for system use.\r\nAttributes of files and directories that Magniber does not encrypt\r\nThe Magniber ransomware encrypts files by applying a hybrid encryption approach that combines the use of the\r\nAdvanced Encryption Standard (AES) and the Rivest, Shamir, Adleman (RSA) encryption algorithms. This\r\napproach maximizes both encryption performance and security. The Magniber ransomware first encrypts a file by\r\nusing the symmetric encryption algorithm AES.\r\nAES is by design more performant but less secure than the RSA encryption algorithm. AES relies on a symmetric\r\nencryption key and an initialization vector (IV) for encryption security. To compensate for this disadvantage of\r\nAES, the ransomware then encrypts the AES symmetric key and IV by using the RSA encryption algorithm. The\r\nMagniber ransomware uses the Microsoft CryptoAPI for encryption. \r\nFor each file being encrypted, Magniber first generates two random arrays of 16 bytes. The first byte array is an\r\nAES symmetric encryption key and the second is an IV. The Magniber ransomware then encrypts equal-sized data\r\nblocks of the file being encrypted using the AES key and IV, such that each data block is 1048576 bytes in size.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 8 of 19\n\nAfter encrypting a data block, the Magniber ransomware writes the encrypted form of the data block in the file,\r\nreplacing the original data block. This encryption procedure ends in Magniber encrypting the last data block of the\r\nfile, which may be less than 1048576 bytes in size, by setting the parameter final of the CryptEncrypt CryptoAPI\r\nfunction to 1:\r\nUnencrypted and encrypted form of a data block, encrypted using an AES key and IV\r\nAfter encrypting all file data blocks, Magniber concatenates the AES key and IV and encrypts the resulting data\r\nby using a 2048-bit RSA public key. The file that implements the Magniber ransomware also stores the public key.\r\nThe ransomware then appends the encrypted form of the concatenated AES key and IV to the end of the file.\r\nMagniber then changes the file name extension of the file being encrypted by appending a file name extension that\r\nis the same as the name of the mutex object that the ransomware creates, such as zarkzonn or dihlxbl. The\r\nransomware then proceeds to encrypt the next file designated for encryption.\r\nAfter it encrypts all files stored in a folder, the Magniber ransomware places a readme.txt file that contains a\r\nransom note in the folder. The ransom note contains Uniform Resource Locators (URLs) unique to the\r\ncompromised system such that the URL subdomain is the compromised system identifier that the ransomware\r\ngenerates.\r\nAccording to available open-source intelligence (OSINT), the URLs point to a payment website that instructs\r\nusers to purchase software called My Decryptor to restore the files that the ransomware has encrypted. The URLs\r\nin the ransom note that Magniber left on the systems that the Cybereason GSOC analyzed were unreachable:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 9 of 19\n\nThe Magniber ransomware ransom note\r\nAfter finishing the two phases of file enumeration and encryption, if the Magniber ransomware has encrypted\r\nmore than 1000000 bytes in total, Magniber places the readme.txt file in the %PUBLIC% folder (for example,\r\nC:\\Users\\Public) and displays the file with the Notepad application (notepad.exe). Magniber also opens the\r\ndefault browser on the compromised system to display a payment website.\r\nBy doing this, Magniber also exfiltrates information about its operation on the compromised system by storing the\r\nfollowing values in URL query parameters:\r\nThe number of drives in which the ransomware has enumerated files.\r\nThe total size of encrypted data that the Magniber ransomware has generated (in bytes).\r\nThe number of files that the ransomware has encrypted.\r\nThe number of files that the ransomware has enumerated; this number includes both files that the\r\nransomware has encrypted and unencrypted files.\r\nThe build number of the compromised Windows operating system (e.g., 17763).\r\nThe Magniber ransomware exfiltrates information about its operation via URL query parameters\r\nThe Magniber ransomware then releases and closes the named mutex object it has previously locked, and executes\r\nthe command vssadmin.exe Delete Shadows /all /quiet to delete shadow copies so that encrypted files cannot be\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 10 of 19\n\nrecovered. Magniber executes this command with elevated privileges by bypassing Windows User Account\r\nControl (UAC), as follows:\r\nMagniber writes the command to be executed with elevated privileges in the (Default) registry value\r\nunder the registry key HKCU\\Software\\Classses\\ms-settings\\shell\\open\\command on Windows 10\r\nsystems, or under the registry key HKCU\\Software\\Classes\\mscfile\\shell\\open\\command on earlier\r\nWindows releases.\r\nOn Windows 10 systems, Magniber creates the DelegateExecute registry value under the registry\r\nkey HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command.\r\nMagniber executes computerdefaults.exe on Windows 10 systems, or CompMgmtLauncher.exe on\r\nearlier Windows releases, by executing the following command:\r\ncmd.exe /c %SystemRoot%\\system32\\wbem\\wmic process call create “/c computerdefaults.exe” or\r\ncmd.exe /c %SystemRoot%\\system32\\wbem\\wmic process call “create /c CompMgmtLauncher.exe”\r\nThis, in turn, executes the command written in the (Default) registry value with elevated privileges.\r\nOne way in which Magniber deletes shadow copies is by writing the command C:\\Windows\\System32\\wbem\\wmic\r\nprocess call create \"vssadmin.exe Delete Shadow  /all /quiet\" in the (Default) registry value under the registry key\r\nHKCU\\Software\\Classes\\ms-settings\\shell\\open\\command or\r\nHKCU\\Software\\Classes\\mscfile\\shell\\open\\command.\r\nAnother way in which Magniber deletes shadow copies on Windows 10 systems is by writing the JScript script\r\ndepicted below in the %PUBLIC%\\readme.txt file, followed by writing the command regsvr32.exe scrobj.dll /s /u\r\n/n /i:%PUBLIC%\\readme.txt in the (Default) registry value under the registry key HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command. After regsvr32.exe is finished executing, the Magniber ransomware deletes the\r\n%PUBLIC%\\readme.txt file.\r\nBoth approaches result in the execution of vssadmin.exe as a child process of the Windows Management\r\nInstrumentation (WMI) Provider Host process (wmiprvse.exe) with elevated privileges:\r\nA Jscript script that executes vssadmin.exe\r\nThe Cybereason platform detects the Magniber ransomware deleting shadow copies. After deleting shadow\r\ncopies, the Magniber ransomware terminates its operation: \r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 11 of 19\n\nThe Magniber ransomware deletes shadow copies\r\nDetection and Prevention\r\nPrintNightmare Vulnerabilities\r\nThe Cybereason GSOC recommends the following:\r\nUpdate your systems. Microsoft released an update that addresses the PrintNightmare\r\nvulnerabilities. \r\nDisable the Windows Print Spooler service if this service is not necessary. To do this, use one of the\r\nfollowing methods.\r\nExecute the following system command: net stop spooler\r\nExecute the following PowerShell command: Stop-Service -Name Spooler -Force \u0026 Set-Service -\r\nName Spooler -StartupType Disabled\r\nIf you do not want to disable the Print Spooler service, modify the SYSTEM user privileges so that\r\nthis user cannot write in the %SYSTEM%\\System32\\spool\\drivers\\ directory. This action effectively\r\nblocks the deployment of attacker-provided DLLs or Windows executables by exploiting\r\nPrintNightmare CVE-2021-34527. To do this, execute the following PowerShell script:\r\n$Path = \"C:\\Windows\\System32\\spool\\drivers\r\n$Acl = Get-Acl $Path\r\n$Ar = New-Object\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 12 of 19\n\nSystem.Security.AccessControl.FileSystemAccessRule(\"System\", \"Modify\", \"ContainerInherit, ObjectInherit\",\r\n\"None\", \"Deny\")\r\n$Acl.AddAccessRule($Ar)\r\nCheck for potential CVE-2021-34527 exploitation attempts by executing the following PowerShell\r\ncommand:\r\nGet-WinEvent -LogName 'Microsoft-Windows-PrintService/Admin' | Select-String -InputObject\r\n{$_.message} -Pattern 'The print spooler failed to load a plug-in module'. The presence of the\r\nfollowing log message indicates that the Print Spooler service has attempted to execute a DLL or a\r\nWindows executable, which an attacker may have provided when exploiting PrintNightmare: The\r\nprint spooler failed to load a plug-in module.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom\r\nhunting queries for detecting specific threats - to find out more about threat hunting and Managed\r\nDetection and Response with the Cybereason Defense Platform, contact a Cybereason Defender\r\nhere.\r\nFor Cybereason customers: More details available on the NEST including custom threat\r\nhunting queries for detecting this threat.\r\nMagniber Ransomware\r\nThe Cybereason GSOC recommends the following:\r\nEnable the Anti-Ransomware feature of the Cybereason platform by setting it to Suspend or Prevent.\r\nThe Cybereason Defense Platform detects the Magniber ransomware using multi-layer protection\r\nthat detects and blocks ransomware with threat intelligence, machine learning, and next-gen\r\nantivirus (NGAV) capabilities.\r\nConsider additional, proactive ways for detecting the presence of the Magniber ransomware in\r\nsystems and defending against this threat, such as YARA-based detection or mutex object locking.\r\nThreat Hunting with Cybereason: The Cybereason MDR team provides its customers with custom\r\nhunting queries for detecting specific threats - to find out more about threat hunting and Managed\r\nDetection and Response with the Cybereason Defense Platform, contact a Cybereason Defender\r\nhere.\r\nFor Cybereason customers: More details available on the NEST including custom threat\r\nhunting queries for detecting this threat.\r\nThe Cybereason Defense Platform detects the Magniber ransomware based on threat intelligence\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 13 of 19\n\nThe Anti-Ransomware feature of the Cybereason Defense Platform detects the Magniber ransomware\r\nYARA-Based Detection\r\nThe following YARA rule is useful for detecting the presence of the Magniber ransomware in the context of\r\nrunning processes or in the filesystem:\r\nrule Magniber_ransomware\r\n{\r\nmeta:\r\n    description = \"YARA rule for identifying the Magniber ransomware.\"\r\n    author = \"Aleksandar Milenkoski\"\r\n    date = \"2021-08\"\r\nstrings:\r\n    $code1 = { C7 45 F0 4C 8B D1 B8 C7 45 F4 00 00 00 00 66 C7 45 F8 0F 05 C6 45 FA C3 }\r\n    $code2 = { 81 F9 39 38 00 00 ?? ?? ?? ?? ?? ?? 81 F9 D7 3A 00 00 ?? ?? ?? ?? ?? ?? 81 F9 AB      \r\n    3F 00 00 ?? ?? ?? ?? ?? ?? 81 F9 EE 42 00 00 ?? ?? ?? ?? ?? ?? 81 F9 63 45 00 00 ?? ?? ??\r\n    ??  ??  ?? 81 F9 BA 47 00 00 }\r\n    $code3 = { 83 3C 25 6C 02 FE 7F 0A }\r\ncondition:\r\n    uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $code3 and 2 of\r\n    ($code1,$code2)\r\n}\r\nYARA rule for identifying the Magniber ransomware\r\nMutex Object Locking\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 14 of 19\n\nMagniber creates and locks a mutex object named, for example, zarkzonn or dihlxbl, such that the name of the\r\nmutex is different for different versions of the Magniber ransomware. If this mutex object already exists and is\r\ntherefore locked, the ransomware terminates without encrypting any data.\r\nThis is to the advantage of defenders, as a mutex object named, for example, zarkzonn or dihlxbl, can be locked by\r\na legitimate process on a given system with the intention to stop any potential future execution of the Magniber\r\nransomware on the system.\r\nThe PowerShell script below demonstrates this defense technique. The script creates, opens, and locks a mutex\r\nobject named dihlxbl, and releases the object when the user issues the Ctrl+C command. Users can execute the\r\nscript by issuing the command powershell.exe ./magniber_mutex_lock.ps1 in the directory where the script file is\r\nstored, where magniber_mutex_lock.ps1 is the filename of the script file:\r\nfunction create_mutex\r\n{\r\n    $created = $False\r\n    $mutex = New-Object -TypeName System.Threading.Mutex($true, \"dihlxbl\", [ref]$created)\r\n    Write-Host \"Mutex object named dihlxbl created, opened, and locked: $created.\"\r\n    return $mutex\r\n}\r\nfunction release_mutex\r\n{\r\n    param (\r\n        $mutex\r\n    )\r\n    $mutex.ReleaseMutex()\r\n    $mutex.Dispose()\r\n}\r\n$mutex = create_mutex\r\ntry\r\n{\r\n    while($true)\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 15 of 19\n\n{\r\n        Start-Sleep -Seconds 1\r\n    }\r\n}\r\nfinally{\r\n    release_mutex($mutex)\r\n    Write-Host \"Mutex object released.\"\r\n}\r\nPowerShell script that locks a mutex object named dihlxbl\r\nGeneral Recommendations\r\nIn addition to specific recommendations for PrintNightmare and the Magniber ransomware, Cybereason offers the\r\nfollowing general security recommendations:\r\nMake sure your systems are timely patched in order to minimise the risk of ransomware infections\r\nby vulnerability exploitation.\r\nUse secure passwords, regularly rotate passwords, and use multi-factor authentication where\r\npossible. \r\nRegularly backup files to a secured remote location and implement a data recovery plan. Regular\r\ndata backups ensure that you can restore your data after a ransomware attack. \r\nSecurely handle email messages that originate from external sources. This includes disabling\r\nhyperlinks and investigating email message content to identify phishing attempts.  \r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere—including modern ransomware. Learn more about ransomware defense here or schedule a demo\r\ntoday to learn how your organization can benefit from an operation-centric approach to security.\r\nIndicators of Compromise\r\nExecutables\r\nSHA-256 hash: \r\n10B9B1D8F6BAFD9BB57CCFB1DA4A658F10207D566781FA5FB3C4394D283E860E\r\nFile size: 21504 bytes\r\nAssociated files readme.txt\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 16 of 19\n\nMutex objects dihlxbl\r\nFile name\r\nextensions\r\ndihlxbl\r\nDomains\r\nl5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion\r\nuponmix.xyz\r\nflysex.space\r\npartscs.site\r\ncodehes.uno\r\nRegistry keys\r\nHKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\\(Default)\r\nHKCU\\Software\\Classes\\mscfile\\shell\\open\\command\\(Default)\r\nHKCU\\Software\\Classes\\ms-settings\\shell\\open\\command\\DelegateExecute\r\nMITRE ATT\u0026CK Techniques\r\nExecution Privilege Escalation Defense Evasion Discovery Impact\r\nNative\r\nAPI\r\nAbuse Elevation Control\r\nMechanism: Bypass User\r\nAccount Control\r\nIndicator Removal on\r\nHost: File Deletion\r\nFile and\r\nDirectory\r\nDiscovery\r\nData\r\nEncrypted for\r\nImpact\r\n    Modify registry    \r\n   \r\nObfuscated Files or\r\nInformation: Software\r\nPacking\r\n   \r\nAbout the Researchers:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 17 of 19\n\nAleksandar Milenkoski, Senior Threat and Malware Analyst, Cybereason Global SOC\r\nAleksandar Milenkoski is a Senior Threat and Malware Analyst with the Cybereason Global\r\nSOC team. He is involved primarily in reverse engineering and threat research activities. Aleksandar has a PhD in\r\nsystem security. Prior to Cybereason, his work focussed on research in intrusion detection and reverse engineering\r\nsecurity mechanisms of the Windows 10 operating system.\r\nEli Salem, Senior Security Analyst, Cybereason Global SOC\r\nEli is a lead threat hunter and malware reverse engineer at Cybereason. He has worked in the\r\nprivate sector of the cyber security industry since 2017. In his free time, he publishes articles about malware\r\nresearch and threat hunting.\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 18 of 19\n\nAbout the Author\r\nCybereason Global SOC Team\r\nThe Cybereason Global SOC Team delivers 24/7 Managed Detection and Response services to customers on\r\nevery continent. Led by cybersecurity experts with experience working for government, the military and multiple\r\nindustry verticals, the Cybereason Global SOC Team continuously hunts for the most sophisticated and pervasive\r\nthreats to support our mission to end cyberattacks on the endpoint, across the enterprise, and everywhere the battle\r\nmoves.\r\nAll Posts by Cybereason Global SOC Team\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nhttps://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware"
	],
	"report_names": [
		"threat-analysis-report-printnightmare-and-magniber-ransomware"
	],
	"threat_actors": [
		{
			"id": "a6814184-2133-4520-b7b3-63e6b7be2f64",
			"created_at": "2025-08-07T02:03:25.019385Z",
			"updated_at": "2026-04-10T02:00:03.859468Z",
			"deleted_at": null,
			"main_name": "GOLD VICTOR",
			"aliases": [
				"DEV-0832 ",
				"STAC5279 ",
				"Vanilla Tempest ",
				"Vice Society",
				"Vice Spider "
			],
			"source_name": "Secureworks:GOLD VICTOR",
			"tools": [
				"Advanced IP Scanner",
				"Advanced Port Scanner",
				"HelloKitty ransomware",
				"INC ransomware",
				"MEGAsync",
				"Neshta",
				"PAExec",
				"PolyVice ransomware",
				"PortStarter",
				"PsExec",
				"QuantumLocker ransomware",
				"Rhysida ransomware",
				"Supper",
				"SystemBC",
				"Zeppelin ransomware"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "84aa9dbe-e992-4dce-9d80-af3b2de058c0",
			"created_at": "2024-02-02T02:00:04.041676Z",
			"updated_at": "2026-04-10T02:00:03.537352Z",
			"deleted_at": null,
			"main_name": "Vanilla Tempest",
			"aliases": [
				"DEV-0832",
				"Vice Society"
			],
			"source_name": "MISPGALAXY:Vanilla Tempest",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434172,
	"ts_updated_at": 1775792058,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/60433dd8702a2f1705ba036f14c37526d4dc3404.pdf",
		"text": "https://archive.orkl.eu/60433dd8702a2f1705ba036f14c37526d4dc3404.txt",
		"img": "https://archive.orkl.eu/60433dd8702a2f1705ba036f14c37526d4dc3404.jpg"
	}
}