In the past, Magniber exploited an Internet Explorer vulnerability to infect users' PCs via Drive-by-Download attacks. However, after Microsoft stopped supporting Internet Explorer, Magniber’s operators gave up on exploiting vulnerabilities and instead took to social engineering tactics to trick users into downloading malicious payloads onto systems.  

A glance at the latest propagation method

On December 9, the ASEC analysis team observed a Magniber ransomware campaign that leveraged COVID-19-related filenames to stealthily execute on victim systems. 
  • Researchers highlighted that the ransomware gets directly executed from malicious files soon after the victim visits untrusted websites. 
  • Magniber ransomware is embedded in MSI file format for Chrome browser and in zip file format for Edge browser.

The drift toward social engineering

The operators behind Magniber ransomware are the latest to have shifted their initial infection vector from exploiting vulnerabilities to having users execute malware through social engineering techniques. Previously, threat actors who used GrandCrab, BlueCrab, and LockBit 3.0 also adopted social engineering tactics to lure unsuspecting users into downloading ransomware.

Magniber's recent efforts

Of late, Magniber ransomware added a new way to target Windows home users.
  • The attacker created websites advertising fake antivirus and security updates for Windows 10 to distribute malware.  
  • In yet another incident, the attackers updated the ransomware’s capabilities to target Windows 11. 


As attackers continue to evolve their tactics to keep their ransomware effective, experts suggest users avoid downloading files and programs from unknown sources. Beware of unsolicited emails and don’t click on links that look suspicious.
Cyware Publisher