{
	"id": "c60710c6-769f-4095-8b10-9a3e4b0935ce",
	"created_at": "2026-04-06T00:14:16.692512Z",
	"updated_at": "2026-04-10T13:11:56.329332Z",
	"deleted_at": null,
	"sha1_hash": "756168c6c653e5bff836a1d996d7bdd44163180d",
	"title": "Magniber Ransomware Targets Users with Fake Software Updates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1400998,
	"plain_text": "Magniber Ransomware Targets Users with Fake Software Updates\r\nBy Patrick Schläpfer\r\nPublished: 2022-10-13 · Archived: 2026-04-05 23:09:26 UTC\r\nIn recent years, “Big Game Hunting” ransomware attacks against enterprises have dominated media headlines\r\nbecause of their high-profile victims and substantial ransom demands. Yet single-client ransomware – a type of\r\nransomware that infects individual computers, rather than fleets of devices – can still cause significant damage to\r\nindividuals and organizations. In this article, we share our analysis of a ransomware campaign isolated by HP\r\nWolf Security in September 2022 that targeted home users by masquerading as software updates. The campaign\r\nspread Magniber, a single-client ransomware family known to demand $2,500 from victims. Notably, the attackers\r\nused clever techniques to evade detection, such as running the ransomware in memory, bypassing User Account\r\nControl (UAC) in Windows, and bypassing detection techniques that monitor user-mode hooks by using syscalls\r\ninstead of standard Windows API libraries.\r\nCampaign Overview\r\nThe infection chain starts with a web download from an attacker-controlled website. The user is asked to\r\ndownload a ZIP file containing a JavaScript file that purports to be an important anti-virus or Windows 10\r\nsoftware update.\r\nSYSTEM.Critical.Upgrade.Win10.0.ba45bd8ee89b1.js\r\nSYSTEM.Security.Database.Upgrade.Win10.0.jse\r\nAntivirus_Upgrade_Cloud.29229c7696d2d84.jse\r\nALERT.System.Software.Upgrade.392fdad9ebab262cc97f832c40e6ad2c.js\r\nFigure 1 – Magniber ransomware isolated by HP Sure Click Enterprise\r\nPreviously Magniber was primarily spread through MSI and EXE files, but in September 2022 we started seeing\r\ncampaigns distributing the ransomware in JavaScript files.\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 1 of 12\n\nThe JavaScript files use a variation of the DotNetToJScript technique, enabling the attacker to load a .NET\r\nexecutable in memory, meaning the ransomware does not need to be saved to disk. This technique bypasses\r\ndetection and prevention tools that monitor files written to disk and reduces artifacts left on an infected system.\r\nThe .NET code decodes shellcode and injects it into another process. The ransomware code runs from this process\r\n– first deleting shadow copy files and disabling Windows’ backup and recovery features, before encrypting the\r\nvictim’s files (Figure 2).\r\nMagniber requires administrator privileges to disable the victim’s ability to recover their data, so the malware uses\r\na User Account Control (UAC) bypass to runs commands without alerting the user. For this to work, however, the\r\nlogged-in user must be part of the Administrators group. For the encryption task, the malware enumerates files and\r\nchecks its file extension against a list. If the extension is in the list, the file is encrypted. Finally, the malware\r\nplaces a ransom note in each directory with an encrypted file and shows it to the victim by opening the note in a\r\nweb browser.\r\nFigure 2 – Magniber infection chain\r\nCampaign Technical Analysis\r\nThe attackers behind the campaign used several interesting techniques to circumvent detection and prevention\r\nmechanisms, described in more detail below.\r\nPhase 1: JavaScript Loader\r\nAs mentioned in the overview, the campaigns start with a JavaScript file compressed in a ZIP archive. We’ve seen\r\nboth JS and JSE files used. JSE files are encoded JavaScript files. In both cases, the scripts are obfuscated (Figure\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 2 of 12\n\n3).\r\nFigure 3 – Obfuscated JavaScript\r\nAfter decoding the script, we see it instantiates several MemoryStream type ActiveXObjects. Next, it decrypts an\r\ninteger array and writes it into one of the MemoryStreams. Once this is done, the MemoryStream is deserialized,\r\ngiving us an executable .NET file.\r\nFigure 4 – Deobfuscated JavaScript\r\nAt this point we enter the second phase, the .NET phase.\r\nPhase 2: .NET Binary\r\nThe .NET binary has a very simple structure since it only contains a few functions and an integer array, similar to\r\nthe JavaScript file. When run, the code sets the memory protection of the array to\r\n“PAGE_EXECUTE_READWRITE” and decodes an array in a similar way to the encoded JavaScript in the\r\nprevious phase. The decoded array is shellcode which is run using the EnumUILanguages function, which takes a\r\npointer to a callback function as its first argument.\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 3 of 12\n\nFigure 5 – Main function inside .NET binary\r\nPhase 3: Stage 1 Shellcode\r\nThe first shellcode stage decrypts a second stage, injects it into another process and finally runs it. To evade\r\ndetection, both shellcode stages use syscalls instead of calling standard libraries.\r\nFigure 6\r\n– Syscall wrapper inside shellcode\r\nThe shellcode contains its own wrapper functions that are responsible for making syscalls. To make a syscall, an\r\nidentifier is written to the EAX register and then the syscall function corresponding to that identifier is executed.\r\nHowever, these identifiers can vary depending on the operating system version, so the malware must account for\r\nthis to support multiple versions. Magniber queries the operating system version and, for certain syscalls, runs\r\nthrough a switch-case statement before executing it. One example where this happens is NtCreateThreadEx. This\r\nsyscall is used to create a new thread, in this case in another process, where shellcode is injected.\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 4 of 12\n\nFigure 7 – Syscall identifiers for NtCreateThreadEx (source)\r\nFigure 7 shows the NtCreateThreadEx identifiers for different version of Windows. The code must use the correct\r\nidentifier based on the operating system version. Using the Switch-Case statements, it is possible to infer which\r\noperating systems the malware supports.\r\nVersion Code Name Release Date\r\n17134 Windows 10, Version 1803 April 30, 2018\r\n17763 Windows 10, Version 1809 November 13, 2018\r\n18362 Windows 10, Version 1903 May 21, 2019\r\n18363 Windows 10, Version 1909 November 12, 2019\r\n19041 Windows 10, Version 2004 May 27, 2020\r\n19042 Windows 10, Version 20H2 October 20, 2020\r\n19043 Windows 10, Version 21H1 May 18, 2021\r\n19044 Windows 10, Version 21H2 November 16, 2021\r\n20348 Windows Server 2022, Version 21H2 August 18, 2021\r\n22000 Windows 11, Version 21H2 October 4, 2021\r\n22610 Windows 11 Insider Preview April 29, 2022\r\n22621 Windows 11, Version 22H2 September 20, 2022\r\n25115 Windows 11 Insider Preview May 11, 2022\r\n25145 Windows 11 Insider Preview June 22, 2022\r\n25163 Windows 11 Insider Preview July 20, 2022\r\nInterestingly, the Magniber sample we analyzed in September support different versions of Windows 11, including\r\npre-release versions. This suggests that home users rather than enterprises were the intended targets of the\r\ncampaign, since enterprises tend to use older operating systems.\r\nWith the help of syscalls, the shellcode injects decrypted shellcode into a new process and executes it, then\r\nterminates its own process.\r\nPhase 4: Stage 2 Shellcode\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 5 of 12\n\nThis shellcode now runs in the context of another process, which is why the process chain is interrupted. The\r\npurpose of this code can be divided into two parts. The first part deletes shadow copy files and disables backup\r\nand recovery features. The second part recursively enumerates all the files on the filesystem and encrypts them\r\nbased on their file extension. This part of the shellcode also works purely with syscalls and does not use standard\r\nlibraries.\r\nPhase 4.1: Delete Shadow Copy Files and Disable Backup and Recovery\r\nTo delete the shadow copy files and disable Windows recovery features, Magniber requires administrator\r\nprivileges, e.g. the user must be in the Administrators group. Most employees in enterprise environments don’t\r\nneed such privileges, so this is another indication that the attackers behind the campaign intended to target\r\nindividuals rather than enterprises. However, even if the user is in the Administrators group, the malware must\r\nfirst bypass User Account Control, which allows a process to run with elevated privileges. Magniber uses a UAC\r\nbypass that is triggered with the following steps:\r\n1. The malware creates the registry key\r\nHKCU\\SOFTWARE\\Classes\\AppX04g0mbrz4mkc6e879rpf6qk6te730jfv\\Shell\\open\\command. In this\r\nexample, the key is linked from the “ms-settings” key and allows the attacker to specify a shell command.\r\n2. The malware sets the key with the value “wscript.exe /B / E:VBScript.Encode\r\n../../Users/Public/hnzpfrdt.tex”.\r\n3. The malware writes an encoded VBScript into the Public directory containing commands that delete\r\nshadow copy files and disable backup and recovery features in Windows.\r\n4. The malware starts “fodhelper.exe”, a utility for managing optional features in Windows, which then\r\ntriggers the UAC bypass. This process accesses the newly created registry key and runs the command\r\nstored in it, causing the VBScript to execute with elevated privileges and without user confirmation.\r\nThe resulting process tree of the UAC bypass looks like this:\r\nFigure 8 – Process tree of UAC bypass using fodhelper.exe\r\nOne way to prevent the “fodhelper.exe” UAC bypass is to increase the UAC security level to “Always notify”,\r\nwhich stops it from working on Windows 10.\r\nThe VBScript deletes shadow copy files using Windows Management Instrumentation (WMI), deactivates the\r\nWindows recovery feature using the bcdedit command, then deletes the system backup using wbadmin. This\r\nmakes it impossible for the user to restore the encrypted files using Windows system tools.\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 6 of 12\n\nFigure 9 – VBScript that deletes shadow copy files and disables backup and recovery features\r\nPhase 4.2: Encrypt Files\r\nTo decide which files to encrypt, Magniber keeps a list of pseudohashes that each correspond to a different file\r\nextension. After enumerating a file, the ransomware generates a pseudohash of the file extension. If the\r\npseudohash is in the list, the file is encrypted. The encrypted file is then renamed with another file extension that\r\nis unique to each Magniber sample. The ransomware file extension is identical to the URL path in the ransom\r\nnote.\r\nMagniber’s file extension hashes are best described as pseudohashes because no standard hash algorithm is used\r\nand the calculation causes hash collisions – meaning some files that aren’t in the attacker’s list of file extensions\r\nare also encrypted. An implementation of the hashing function in Python looks like this:\r\ndef pseudohash(file_ending):\r\n hash = 0\r\n counter = 0\r\n for character in file_ending:\r\n hash += ( ord(b) – 0x60 ) * ( 3 ** ( ( len(file_ending) – counter ) * 3 ) )\r\n counter += 1\r\n return hash\r\nFinally, the ransomware tells the victim about what happened and how they can decrypt their data by dropping an\r\nHTML ransom note in every directory that contains an encrypted file. To make sure the user sees the demand,\r\nMagniber also opens the note in a web browser.\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 7 of 12\n\nFigure 10 – Magniber ransom note\r\nHow to Protect Yourself\r\nHome users can protect themselves from ransomware campaigns like this one by following this simple advice:\r\nFollow the principle of least privilege by only using administrator accounts if you really need to. Many\r\nhome users have administrator privileges but rarely need them.\r\nDownload software updates from trusted sources. The campaign depends on tricking people into opening\r\nfake software updates. Only download updates from trustworthy sources such as Windows Update and\r\nofficial software vendor websites.\r\nBack up your data regularly. Backing up your data will give you peace of mind should the worst happen.\r\nConclusion\r\nEven though Magniber does not fall into the category of Big Game Hunting, it can still cause significant damage.\r\nHome users were the likely target of this malware based on the supported operating system versions and UAC\r\nbypass. The attackers used clever techniques to evade protection and detection mechanisms. Most of the infection\r\nchain is “fileless”, meaning the malware only resides in memory, reducing the chances of it being detected.\r\nMagniber also bypasses detection techniques that rely on user-mode hooks because it uses syscalls instead of\r\nstandard Windows API libraries. With the UAC bypass, the malware deletes the infected system’s shadow copy\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 8 of 12\n\nfiles and disables backup and recovery features, preventing the victim from recovering their data using Windows\r\ntools.\r\nIndicators of Compromise (IOCs)\r\nReference Magniber JavaScript sample used for our analysis:\r\n934cfeb5ee3d2ba49831d76dffb1a2658326e1cd90b50779d6670eb2fbdc7ed1\r\nMagniber JavaScript files:\r\n6155453a58b0ba360fd18a32d838c4452fec374c364824b50447500c8fd12e80\r\n5b2a5ac50977f41ac27590395bb89c1afd553e58f2979b680d545bff1530a17b\r\n79590d91e9131918df458221e8fcb9c5e33d0200f05f9704dcf88167a5515b3f\r\n7064eab88837bc68b8c5076300170cd73dbea046c9594b588779082396dbfe4c\r\na292ff42e0e1b58b13c867d2c94da2a5d34caa2e9c30b63610f7e12be5e7d3d9\r\ndfa32d8ed7c429b020c0581148a55bc752c35834d7a2b1bae886f2b436285c94\r\nc1d1402226179c66570d66290dff2238b6a9f918c81267a61d58f4807f0d911c\r\n56fb0d5e2e216f2b4d9846517d9ed23b69fba4f19f2bad71cdce47d9081642eb\r\n92ec900b0aa0f8a335cf63d4f313729da2831ffc7d15985adf2d98f2c85c3783\r\nc7729a7817a3d63f71d6c9066bd87192d07992ae57fc3d3e6d0e67c5ab9fb213\r\n9d665f87440c22e3ae209308e3712a83a67932643be019e18b1ae00dc4ab8cbd\r\nb12461bdd88bb2a7f56d11324272ae2a766d560371b2725be6f9d3175fb32f8c\r\nabeec5267f6eb9fc9f01f4688a53e83c87898845767b8cd8599c75dbce1766a8\r\naeee31c3649724686cb9ad17fe1ee2b70b1ad1b6cd77cb8b1997aa6e75d49cc5\r\n1eba630a870ce1aa840219d77e280cfd05d3d5e5cdea6f382c1c2b8b14ddf04d\r\n54a5b06060639a483a8f6c80c8f095fb41e3eb5e7c02c3ad4ba29ee3a9ed7aab\r\n76c012f134e81138fb37ac3638488f309662efcc9bb4011ff8e54869f26bb119\r\n56d301fe7a6b1a9e21898162b0dada9ff12878c539591052919fabcc36d28541\r\n4936cf896d0e76d6336d07cc14fbe8a99fbe10ad3e682dbc12fdfe7070fd1b24\r\n6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c\r\n05cf26eaea577417804075a2458ac63f58a56b7612653d3a4c2ce8fa752bd418\r\n266f930572d3006c36ba7e97b4ffed107827decd7738a58c218e1ae5450fbe95\r\n9095bbb4b123a353a856634166f193124bdc4591cb3a38922b2283acc1d966d6\r\n98d96f56deaec6f0324126fcdd79fd8854d52ac2996d223d0cb0ab4cff13ff7c\r\n0c5956b7f252408db7e7b0195bb5419ad3b8daa45ec1944c44e3ec1cca51920f\r\nc4f9dbff435d873b4e8ecbab8c1b7d2dbdb969ac75af4b1d325e06eb4e51b3ad\r\n5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34\r\nd0375fc9cbb564fb18e0afea926c7faf50464b9afb329913dd5486c7cbb36e2e\r\nad89fb8819f98e38cddf6135004e1d93e8c8e4cba681ba16d408c4d69317eb47\r\n99f0e7f06831c6283f5f4dc261a7bcbe4109b4a6717b534c816ca65cd2f05dc4\r\nb81f76bd5c6e66b9b3a4f2828e58d557091475bed656c9a8d13c8c0e4b7f3936\r\nc6f1da2490fe78b1f281a98c32d6fa88d675598e658d4e660274047e36f1b189\r\ndd30688a0e5ac08fc547f44b60f13ef664654c9a8977f7a5f8f619b08c09620b\r\nc0bf9153ce1641791b357fdb5c2c596fbbf15991a86f510cc444bdb477574d44\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 9 of 12\n\nbf50794c33eebc9dc2ce3902fe29f683a37da50de3654a2775baa74d0bbd1188\r\nb8e76ad7c7857d9985b15dcd064664d198db7201cb9eb6a0e53d81b6002f7d29\r\ncc1ce8c687450b082dd19a6c5d868f5798e52422172f91ee4b70cb5ffd9f6fcd\r\na587172f1bbe665cdfc0cbcec54e72d8b9048c77f344ba5076a17fbf620597de\r\nc4560eee4b02dc0ef087e48848cc83b270068d167f613f04d43a64025e72c09f\r\n82fcea3c48509a1724c0a6ded9e3d3cab775a86588119c35b79355105bd828c4\r\ne993e4ddd05007e62e6e2d00e70927933446ff4bcae2b559bb6be3bc5e4ad2d8\r\n5b513dfd8f94f9b6e962eb691caa56d52ab4453369108ae3b572e2ee7f9b555d\r\nd2d3fbfa73dfeb73a6f5c59fefab8dd99dcff58cefeb0d3b3b1c1a8854178933\r\nd80d90ef631bb60b773bf1211f3c53c1cac043674c85eb65dbc457656ba5d4cc\r\n757cd5b65155cd115b71021685fcc52a42ee80aca247ea68f41aa0d82dc20fc0\r\nbba85d79db69db1b638e24e0a426ccccdc5c95875b8c3a26aa959cce3f6c8575\r\nbeb5e1c5ba835f29e272b2942b27b63f6f15647f3da51754fcf53c277e0eccf7\r\nf41ec94f9d0c7480df2196b3fc5493599d50de222d2c903b173db3e7caff8747\r\n397aa7bcc4a574dc30f0a491e03be15da55fa898624c7b15d0197e72802d048d\r\n6b18a287aa2c170605409a4675fd600d0597623d174445aaea5a2279bee0c145\r\n46d8d6230083254fa324299fc609125ee404e4bbdd3936ddc0235ae21479b655\r\ne8663c5c28d8591f06eb7995e0f22b7ae7909f9431786f8557f2c081e0e79fad\r\nd3f626d3e533f3b4aa0599c231210d53f709c46f0cfc3d28f0303df544a39b1b\r\n814061567356daf6306eb673cfb97cab264c798320bf1b432d396b66393adf83\r\n2c93879d024238d23270fab734a5ba530bfba2d35b44d265c8be3c93ff8cf463\r\n3055baf30466f1c0f4cd5b78d05fe32ef7fd406dead3ecfcbdef464fdee551b8\r\n568e1e3d55a6146f0f899159c3a5183362b8b13304109b49f7394a9fe8c69ea7\r\n932d2330dc3c1366a8e956183858246c4052027cae1590d2211186be648fdcf4\r\ndfabd6462ab2ecb9fb0cea7caa257841a751c1e91118168ef5a082cf8a25210f\r\nfbd69303e6255aae830daba957c8ef62eb6d23340274eb8058826a08e82773db\r\n123d7744a407af376b4ee4402ff8bee588b40540bcfba22fb64768d1de8c1861\r\nMagniber encrypts files with these extensions:\r\n{\r\n“1”: [“c”, “h”, “j”, “p”, “x”],\r\n“2”: [“ai”, “ca”, “cd”, “cf”, “cs”, “ct”, “db”, “dd”, “dt”, “dv”, “dx”, “em”, “ep”, “eq”, “fa”, “fb”, “fi”, “fo”, “gv”,\r\n“hp”, “hs”, “hz”, “ib”, “ii”, “js”, “jw”, “ma”, “mb”, “me”, “mm”, “mx”, “my”, “of”, “pa”, “pm”, “pu”, “px”, “qd”,\r\n“rb”, “rd”, “rs”, “rt”, “rw”, “sh”, “sq”, “st”, “te”, “tm”, “vb”, “vm”, “vw”, “wn”, “wp”, “xd”, “ya”, “ym”, “zw”],\r\n“3”: [“hpi”, “icn”, “idc”, “idx”, “igt”, “igx”, “ihx”, “iiq”, “ocr”, “abm”, “abs”, “abw”, “act”, “adn”, “adp”, “aes”,\r\n“aft”, “afx”, “agp”, “ahd”, “aic”, “aim”, “alf”, “ans”, “apd”, “apm”, “aps”, “apt”, “apx”, “art”, “arw”, “asc”, “ase”,\r\n“ask”, “asm”, “asp”, “asw”, “asy”, “aty”, “awp”, “awt”, “aww”, “azz”, “bad”, “bay”, “bbs”, “bdb”, “bdp”, “bdr”,\r\n“bib”, “bmx”, “bna”, “bnd”, “boc”, “bok”, “brd”, “brk”, “brn”, “brt”, “bss”, “btd”, “bti”, “btr”, “can”, “cdb”,\r\n“cdc”, “cdg”, “cdr”, “cdt”, “cfu”, “cgm”, “cin”, “cit”, “ckp”, “cma”, “cmx”, “cnm”, “cnv”, “cpc”, “cpd”, “cpg”,\r\n“cpp”, “cps”, “cpx”, “crd”, “crt”, “crw”, “csr”, “csv”, “csy”, “cvg”, “cvi”, “cvs”, “cvx”, “cwt”, “cxf”, “cyi”,\r\n“dad”, “daf”, “dbc”, “dbf”, “dbk”, “dbs”, “dbt”, “dbv”, “dbx”, “dca”, “dcb”, “dch”, “dcr”, “dcs”, “dct”, “dcx”,\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 10 of 12\n\n“dds”, “ded”, “der”, “dgn”, “dgs”, “dgt”, “dhs”, “dib”, “dif”, “dip”, “diz”, “djv”, “dmi”, “dmo”, “dnc”, “dne”,\r\n“doc”, “dot”, “dpp”, “dpx”, “dqy”, “drw”, “drz”, “dsk”, “dsn”, “dsv”, “dta”, “dtw”, “dvi”, “dwg”, “dxb”, “dxf”,\r\n“eco”, “ecw”, “ecx”, “edb”, “efd”, “egc”, “eio”, “eip”, “eit”, “emd”, “emf”, “epf”, “epp”, “eps”, “erf”, “err”, “etf”,\r\n“etx”, “euc”, “exr”, “faq”, “fax”, “fbx”, “fcd”, “fcf”, “fdf”, “fdr”, “fds”, “fdt”, “fdx”, “fes”, “fft”, “fic”, “fid”,\r\n“fif”, “fig”, “flr”, “fmv”, “fpt”, “fpx”, “frm”, “frt”, “frx”, “ftn”, “fxc”, “fxg”, “fzb”, “fzv”, “gdb”, “gem”, “geo”,\r\n“gfb”, “ggr”, “gih”, “gim”, “gio”, “gpd”, “gpg”, “gpn”, “gro”, “grs”, “gsd”, “gtp”, “gwi”, “hbk”, “hdb”, “hdp”,\r\n“hdr”, “hht”, “his”, “hpg”, “htc”, “hwp”, “ibd”, “imd”, “ink”, “ipf”, “ipx”, “itw”, “iwi”, “jar”, “jas”, “jbr”, “jia”,\r\n“jis”, “jng”, “joe”, “jpe”, “jps”, “jpx”, “jsp”, “jtf”, “jtx”, “jxr”, “kdb”, “kdc”, “kdi”, “kdk”, “kes”, “key”, “kic”,\r\n“klg”, “knt”, “kon”, “kpg”, “kwd”, “lay”, “lbm”, “lbt”, “ldf”, “lgc”, “lis”, “lit”, “ljp”, “lmk”, “lnt”, “lrc”, “lst”,\r\n“ltr”, “ltx”, “lue”, “luf”, “lwo”, “lwp”, “lws”, “lyt”, “lyx”, “lzf”, “mac”, “man”, “map”, “maq”, “mat”, “max”,\r\n“mbm”, “mdb”, “mdf”, “mdn”, “mdt”, “mef”, “mel”, “mft”, “min”, “mnr”, “mnt”, “mos”, “mpf”, “mpo”, “mrg”,\r\n“msg”, “mud”, “mwb”, “mwp”, “myd”, “myi”, “ncr”, “nct”, “ndf”, “nef”, “nfo”, “njx”, “nlm”, “now”, “nrw”,\r\n“nsf”, “nyf”, “nzb”, “obj”, “oce”, “oci”, “odb”, “odg”, “odm”, “odo”, “odp”, “ods”, “odt”, “oft”, “omf”, “oqy”,\r\n“ora”, “orf”, “ort”, “orx”, “ost”, “ota”, “otg”, “oti”, “otp”, “ots”, “ott”, “ovp”, “ovr”, “owc”, “owg”, “oyx”, “ozb”,\r\n“ozj”, “ozt”, “pan”, “pap”, “pas”, “pbm”, “pcd”, “pcs”, “pdb”, “pdd”, “pdf”, “pdm”, “pds”, “pdt”, “pef”, “pem”,\r\n“pff”, “pfi”, “pfs”, “pfv”, “pfx”, “pgf”, “pgm”, “phm”, “php”, “pic”, “pix”, “pjt”, “plt”, “pmg”, “pni”, “pnm”,\r\n“pnz”, “pop”, “pot”, “ppm”, “pps”, “ppt”, “prt”, “prw”, “psd”, “pse”, “psp”, “pst”, “psw”, “ptg”, “pth”, “ptx”,\r\n“pvj”, “pvm”, “pvr”, “pwa”, “pwi”, “pwr”, “pxr”, “pza”, “pzp”, “pzs”, “qmg”, “qpx”, “qry”, “qvd”, “rad”, “ras”,\r\n“raw”, “rcu”, “rdb”, “rft”, “rgb”, “rgf”, “rib”, “ric”, “ris”, “rix”, “rle”, “rli”, “rng”, “rpd”, “rpf”, “rpt”, “rri”, “rsb”,\r\n“rsd”, “rsr”, “rst”, “rtd”, “rtf”, “rtx”, “run”, “rzk”, “rzn”, “saf”, “sam”, “sbf”, “scc”, “sch”, “sci”, “scm”, “sct”,\r\n“scv”, “scw”, “sdb”, “sdf”, “sdm”, “sdw”, “sep”, “sfc”, “sfw”, “sgm”, “sig”, “skm”, “sla”, “sld”, “slk”, “sln”,\r\n“sls”, “smf”, “sms”, “snt”, “sob”, “spa”, “spe”, “sph”, “spj”, “spp”, “spq”, “spr”, “sqb”, “srw”, “ssa”, “ssk”, “stc”,\r\n“std”, “sti”, “stm”, “stn”, “stp”, “str”, “stw”, “sty”, “sub”, “suo”, “svf”, “svg”, “sxc”, “sxd”, “sxg”, “sxi”, “sxm”,\r\n“sxw”, “tab”, “tcx”, “tdf”, “tdt”, “tex”, “thp”, “tlb”, “tlc”, “tmd”, “tmv”, “tmx”, “tne”, “tpc”, “trm”, “tvj”, “udb”,\r\n“ufr”, “unx”, “uof”, “uop”, “uot”, “upd”, “usr”, “vbr”, “vbs”, “vct”, “vdb”, “vdi”, “vec”, “vmx”, “vnt”, “vpd”,\r\n“vrm”, “vrp”, “vsd”, “vsm”, “vue”, “wbk”, “wcf”, “wdb”, “wgz”, “wks”, “wpa”, “wpd”, “wpg”, “wps”, “wpt”,\r\n“wpw”, “wri”, “wsc”, “wsd”, “wsh”, “wtx”, “xar”, “xdb”, “xlc”, “xld”, “xlf”, “xlm”, “xls”, “xlt”, “xlw”, “xps”,\r\n“xwp”, “xyp”, “xyw”, “ybk”, “zdb”, “zdc”],\r\n“4”: [“agif”, “albm”, “apng”, “awdb”, “bean”, “cals”, “cdmm”, “cdmt”, “cdmz”, “cimg”, “clkw”, “colz”, “djvu”,\r\n“docb”, “docm”, “docx”, “docz”, “dotm”, “dotx”, “dtsx”, “emlx”, “epsf”, “fdxt”, “fodt”, “fpos”, “fwdn”, “gcdp”,\r\n“gdoc”, “gfie”, “glox”, “grob”, “gthr”, “icon”, “icpr”, “idea”, “info”, “itdb”, “java”, “jbig”, “jbmp”, “jfif”, “jrtf”,\r\n“kdbx”, “mbox”, “mgcb”, “mgmf”, “mgmt”, “mgmx”, “mgtx”, “mmat”, “mrxs”, “oplc”, “pano”, “pict”, “pjpg”,\r\n“pntg”, “pobj”, “potm”, “potx”, “ppam”, “ppsm”, “ppsx”, “pptm”, “pptx”, “psdx”, “psid”, “rctd”, “riff”, “scad”,\r\n“sdoc”, “sldm”, “sldx”, “svgz”, “text”, “utxt”, “vsdm”, “vsdx”, “vstm”, “vstx”, “wire”, “wmdb”, “xlgc”, “xlsb”,\r\n“xlsm”, “xlsx”, “xltm”, “xltx”, “zabw”],\r\n“5”: [“accdb”, “class”]\r\n}\r\nMagniber domains:\r\ntotwo[.]pw\r\nittakes[.]fun\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 11 of 12\n\ncatat[.]site\r\ntinpick[.]online\r\npirlay[.]fun\r\nbuyaims[.]online\r\norhung[.]space\r\nactsred[.]site\r\nSource: https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nhttps://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://threatresearch.ext.hp.com/magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates/"
	],
	"report_names": [
		"magniber-ransomware-switches-to-javascript-targeting-home-users-with-fake-software-updates"
	],
	"threat_actors": [],
	"ts_created_at": 1775434456,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/756168c6c653e5bff836a1d996d7bdd44163180d.pdf",
		"text": "https://archive.orkl.eu/756168c6c653e5bff836a1d996d7bdd44163180d.txt",
		"img": "https://archive.orkl.eu/756168c6c653e5bff836a1d996d7bdd44163180d.jpg"
	}
}