{
	"id": "ffa80961-5d2e-4423-ba02-946cf7c81bfd",
	"created_at": "2026-04-06T00:12:36.179234Z",
	"updated_at": "2026-04-10T03:19:57.398472Z",
	"deleted_at": null,
	"sha1_hash": "d6e43bf0fc9e08129789dfc1356384aecf96276e",
	"title": "Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 898002,
	"plain_text": "Magniber Ransomware Being Distributed via Microsoft Edge and\r\nGoogle Chrome\r\nBy ATCP\r\nPublished: 2022-01-12 · Archived: 2026-04-05 23:40:24 UTC\r\nThe ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet\r\nExplorer (IE) vulnerabilities. For the last couple of years, the attacker behind Magniber has been exploiting IE\r\nvulnerabilities to deploy ransomware. And as shown in the previous blog below, it is still being distributed by\r\nexploiting the IE vulnerabilities. What’s new, however, is that Magniber’s distribution has been confirmed on\r\nbrowsers other than IE: Microsoft Edge and Google Chrome.\r\nThis blog post aims to explain the distribution process of Magniber in the two browsers above.\r\nFigure 1 and Figure 2 show distribution pages opened with Edge and Chrome, respectively. Both pages prompt users\r\nto install Windows application package file (.appx) to update the corresponding browser.\r\nhttps://asec.ahnlab.com/en/30645/\r\nPage 1 of 7\n\nFigure 1. Distribution page on Edge\r\nhttps://asec.ahnlab.com/en/30645/\r\nPage 2 of 7\n\nFigure 2. Distribution page on Chrome\r\nNote that the APPX file disguised as Chrome or Edge’s Windows update application internally contains a valid\r\ncertificate (see Figure 3). This means that the Windows application (.appx) is sorted as a trusted application, therefore\r\nallowing its installation.\r\nhttps://asec.ahnlab.com/en/30645/\r\nPage 3 of 7\n\nFigure 3. Valid certificate info\r\nFigure 4 shows the result of executing the downloaded APPX file which is the creation of malicious EXE and DLL in\r\nthe child paths of C:\\Program Files\\WindowsApps.\r\nFigure 4. Malicious EXE and DLL created upon installing APPX file\r\nFigure 5 shows the code of the created EXE file (wjoiyyxzllm.exe). It loads the DLL file (wjoiyyxzllm.dll) that was\r\ncreated together and executes a specific function (mbenooj).\r\nhttps://asec.ahnlab.com/en/30645/\r\nPage 4 of 7\n\nFigure 5. Code of wjoiyyxzllm.exe\r\nFigure 6 is a part of the DLL code that downloads the ransomware’s encoded payload and decodes it.\r\nFigure 6. Part of DLL code (download and execute ransomware)\r\nUltimately, Magniber is executed from the memory of wjoiyyxzllm.exe, encrypting the user’s files and creating a\r\nransom note demanding the user to send money if they wish to restore the files (Figure 7).\r\nhttps://asec.ahnlab.com/en/30645/\r\nPage 5 of 7\n\nFigure 7. Ransom note that is created following file encryption (Magniber)\r\nMagniber’s distributor signed the APPX file with a trusted certificate to disguise it as an innocuous app to deceive the\r\nsystem. Users must refrain from accessing untrusted websites and maintain security software such as V3 to the latest\r\nversion.\r\n[File Detection]\r\nexe loader: Trojan/Win.Loader.R462129 (2022.01.03.02)\r\nMagniber dll: Ransomware/Win.Magniber.R462664 (2022.01.06.00), Ransomware/Win.Magniber.X2130\r\n(2022.01.06.02)\r\n[Behavior Detection]\r\nRansom/MDP.Decoy.M1171\r\nhttps://asec.ahnlab.com/en/30645/\r\nPage 6 of 7\n\n[Memory Detection]\r\nRansomware/Win.Magniber.XM135 (2022.01.06.02)\r\n[IOC]\r\ncf16310545bf91d3ded081f9220af7cc (exe)\r\n12a12ea3b7d84d1bd0aad215d024665c (dll)\r\nhxxp://b5305c364336bqd.bytesoh.cam\r\nhxxp://hadhill.quest/376s53290a9n2j\r\nSource: https://asec.ahnlab.com/en/30645/\r\nhttps://asec.ahnlab.com/en/30645/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://asec.ahnlab.com/en/30645/"
	],
	"report_names": [
		"30645"
	],
	"threat_actors": [],
	"ts_created_at": 1775434356,
	"ts_updated_at": 1775791197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d6e43bf0fc9e08129789dfc1356384aecf96276e.pdf",
		"text": "https://archive.orkl.eu/d6e43bf0fc9e08129789dfc1356384aecf96276e.txt",
		"img": "https://archive.orkl.eu/d6e43bf0fc9e08129789dfc1356384aecf96276e.jpg"
	}
}