{ "id": "cdb5c293-6204-4f51-b5f3-92baf8b96c60", "created_at": "2026-04-06T00:10:02.222003Z", "updated_at": "2026-04-10T03:22:06.257102Z", "deleted_at": null, "sha1_hash": "c14e654869c6bcea7ba5d16f81f1dba04917a531", "title": "PrintNightmare vulnerability weaponized by Magniber ransomware gang", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 87090, "plain_text": "PrintNightmare vulnerability weaponized by Magniber\r\nransomware gang\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-13 · Archived: 2026-04-05 14:15:42 UTC\r\nThe operators of the Magniber ransomware have weaponized the infamous PrintNightmare vulnerability and are\r\nnow attempting to breach Windows systems in South Korea.\r\nIn a report published today by security firm CrowdStrike, the company said the attacks have been taking place\r\nsince at least July 13.\r\nWhich PrintNightmare is this?\r\nWhile several different vulnerabilities in the Windows Print Spooler service are collectively referred to as\r\nPrintNightmare, CrowdStrike said the attackers weaponized CVE-2021-34527.\r\nThis is one of the two original PrintNightmare bugs that started this whole series of vulnerabilities, which is now\r\ngetting close to around 10 different issues.\r\nInitially tracked and (believed to have been) patched in early June as CVE-2021-1675, researchers published proof\r\nof concept code to exploit this bug in late June.\r\nThe proof-of-concept code was pulled down within hours after researchers realized it was exploiting a different\r\nissue, a much worse one, but by that time, the cat was out of the bag.\r\nCVE-2021-1675 - elevation of privilege bug in Print Spooler server\r\nCVE-2021-34527- remote code execution in Print Spooler server\r\nMicrosoft assigned CVE-2021-34527 to this new bug and patched it two weeks later, on July 6.\r\nSince then, several other variations of these two initial PrintNightmare bugs have been discovered in the Print\r\nSpooler service, including one discovered a day after this month's Patch Tuesday and still unpatched, all still\r\ncollectively called PrintNightmare.\r\nAttacks limited to South Korea, for now\r\nWhile several security experts anticipated that PrintNightmare would be exploited in the wild, especially the RCE\r\nvariant, for now, the attacks have been limited to South Korea.\r\nFirst spotted in late 2017, the Magniber ransomware has exclusively been active only in South Korea.\r\nWhile CrowdStrike has not published an attack chain for the recent Magniber-PrintNightmare attacks, it is worth\r\nmentioning that the Magniber group has been using the Magnitude exploit kit to distribute its payloads since at\r\nhttps://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/\r\nPage 1 of 3\n\nleast 2018, an exploit kit which it still uses today, according to Avast.\r\nAn exploit kit is a web-based app designed to infect users by exploiting browser vulnerabilities.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nhttps://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/\r\nPage 2 of 3\n\nactions against hackers.\r\nSource: https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/\r\nhttps://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/" ], "report_names": [ "printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang" ], "threat_actors": [], "ts_created_at": 1775434202, "ts_updated_at": 1775791326, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c14e654869c6bcea7ba5d16f81f1dba04917a531.pdf", "text": "https://archive.orkl.eu/c14e654869c6bcea7ba5d16f81f1dba04917a531.txt", "img": "https://archive.orkl.eu/c14e654869c6bcea7ba5d16f81f1dba04917a531.jpg" } }