Skip to content

Hide Navigation Hide TOC

Edit

Exploit-Kit

Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It's not meant to be totally exhaustive but aim at covering the most seen in the past 5 years

Authors
Authors and/or Contributors
Kafeine
Will Metcalf
KahuSecurity

Astrum

Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It's notable by its use of Steganography

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Astrum.

Known Synonyms
Stegano EK
Internal MISP references

UUID e9ca60cd-94fc-4a54-ac98-30e675a46b3e which can be used as unique global reference for Astrum in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen 2017-06-14

Underminer

Underminer EK is an exploit kit that seems to be used privately against users in Asia. Functionalities: browser profiling and filtering, preventing of client revisits, URL randomization, and asymmetric encryption of payloads.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Underminer.

Known Synonyms
Underminer EK
Internal MISP references

UUID 49492577-62dd-491d-95d4-92a47adbd98a which can be used as unique global reference for Underminer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Fallout

Fallout Exploit Kit appeared at the end of August 2018 as an updated Nuclear Pack featuring current exploits seen in competiting Exploit Kit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fallout.

Known Synonyms
Fallout
Internal MISP references

UUID 1f05f646-5af6-4a95-825b-164f49616aa4 which can be used as unique global reference for Fallout in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active
Related clusters

To see the related clusters, click here.

Bingo

Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia

Internal MISP references

UUID 9e864c01-3d9e-4b8d-811e-46471ff866e9 which can be used as unique global reference for Bingo in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
status Retired - Last seen 2017-07-07

Terror EK

Terror EK is built on Hunter, Sundown and RIG EK code

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Terror EK.

Known Synonyms
Blaze EK
Neptune EK
Internal MISP references

UUID f15f9264-854e-4e25-8641-cde2faeb86e9 which can be used as unique global reference for Terror EK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen 2017-11-11

DealersChoice

DealersChoice is a Flash Player Exploit platform triggered by RTF.

DealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DealersChoice.

Known Synonyms
Sednit RTF EK
Internal MISP references

UUID 0f116533-a755-4cfc-815a-fa6bcb85efb7 which can be used as unique global reference for DealersChoice in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status

DNSChanger

DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DNSChanger.

Known Synonyms
RouterEK
Internal MISP references

UUID 74fb6a14-1279-4a5b-939a-76478d36d3e1 which can be used as unique global reference for DNSChanger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Novidade

Novidade Exploit Kit is an exploit kit targeting Routers via the browser

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Novidade.

Known Synonyms
DNSGhost
Internal MISP references

UUID 88acc3b7-2cdd-4e7b-ad0b-2880ffa1eb6d which can be used as unique global reference for Novidade in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Disdain

Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula

Internal MISP references

UUID 1ded776d-6772-4cc8-a27f-f61e24a58d96 which can be used as unique global reference for Disdain in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Kaixin

Kaixin is an exploit kit mainly seen behind compromised website in Asia

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kaixin.

Known Synonyms
CK vip
Internal MISP references

UUID e6c1cfcf-3e37-4f5a-9494-989dd8c43d88 which can be used as unique global reference for Kaixin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Magnitude

Magnitude EK

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Magnitude.

Known Synonyms
Magniber
Magnitude EK
Popads EK
TopExp
Internal MISP references

UUID 6a313e11-5bb2-40ed-8cde-9de768b783b1 which can be used as unique global reference for Magnitude in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

MWI

Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it's most often connected to semi-targeted attacks

Internal MISP references

UUID 489acbf2-d80b-4bb5-ac7d-c8573dcb6324 which can be used as unique global reference for MWI in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

ThreadKit

ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017

Internal MISP references

UUID b8be783c-69a8-11e8-adc0-fa7ae01bbebc which can be used as unique global reference for ThreadKit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

VenomKit

VenomKit is the name given to a kit sold since april 2017 as "Word 1day exploit builder" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the "Cobalt Gang"

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VenomKit.

Known Synonyms
Venom
Internal MISP references

UUID b8be7af8-69a8-11e8-adc0-fa7ae01bbebc which can be used as unique global reference for VenomKit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Taurus Builder

Taurus Builder is a tool used to generate malicious MS Word documents that contain macros. The kit is advertised on forums by the user "badbullzvenom".

Internal MISP references

UUID 63988ca2-46c8-4bda-be46-96a8670af357 which can be used as unique global reference for Taurus Builder in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
status Active

RIG

RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by "vip" customers and when RIG 3 was still in use.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RIG.

Known Synonyms
Meadgive
RIG 3
RIG 4
RIG-v
Internal MISP references

UUID 0545e5c0-ed0d-4a02-a69d-31e9e2b31e8a which can be used as unique global reference for RIG in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Spelevo

Spelevo is an exploit kit that appeared at the end of February 2019 and could be an evolution of SPL EK

Internal MISP references

UUID c880991f-1c17-4bf2-8955-50309364e358 which can be used as unique global reference for Spelevo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Sednit EK

Sednit EK is the exploit kit used by APT28

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sednit EK.

Known Synonyms
SedKit
Internal MISP references

UUID c8b9578a-78be-420c-a29b-9214d09685c8 which can be used as unique global reference for Sednit EK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Sundown-P

Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sundown-P.

Known Synonyms
CaptainBlack
Sundown-Pirate
Internal MISP references

UUID 3235ae90-598b-45dc-b336-852817b271a8 which can be used as unique global reference for Sundown-P in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Bizarro Sundown

Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bizarro Sundown.

Known Synonyms
Sundown-b
Internal MISP references

UUID ef3b170e-3fbe-420b-b202-4689da137c50 which can be used as unique global reference for Bizarro Sundown in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired

Hunter

Hunter EK is an evolution of 3Ros EK

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hunter.

Known Synonyms
3ROS Exploit Kit
Internal MISP references

UUID 96b2b31e-b191-43c4-9929-48ba1cbee62c which can be used as unique global reference for Hunter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active
Related clusters

To see the related clusters, click here.

GreenFlash Sundown

GreenFlash Sundown is a variation of Bizarro Sundown without landing

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GreenFlash Sundown.

Known Synonyms
Sundown-GF
Internal MISP references

UUID 6e5c0dbb-fb0b-45ea-ac6c-bb6d8324bbd2 which can be used as unique global reference for GreenFlash Sundown in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

Angler

The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical "indexm" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the "standard" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Angler.

Known Synonyms
AEK
Axpergle
XXX
Internal MISP references

UUID 5daf41c7-b297-4228-85d1-eb040d5b7c90 which can be used as unique global reference for Angler in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2016-06-07

Archie

Archie EK

Internal MISP references

UUID 2756caae-d2c5-4170-9e76-2b7f1b1fccb1 which can be used as unique global reference for Archie in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired

BlackHole

The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch's arrest (all activity since then is anecdotal and based on an old leak)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackHole.

Known Synonyms
BHEK
Internal MISP references

UUID e6201dc3-01a7-40c5-ba72-02fa470ada53 which can be used as unique global reference for BlackHole in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2013-10-07
Related clusters

To see the related clusters, click here.

Bleeding Life

Bleeding Life is an exploit kit that became open source with its version 2

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bleeding Life.

Known Synonyms
BL
BL2
Internal MISP references

UUID 5abe6240-dce2-4455-8125-ddae2e651243 which can be used as unique global reference for Bleeding Life in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired

Cool

The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cool.

Known Synonyms
CEK
Styxy Cool
Internal MISP references

UUID 9bb229b0-80f9-48e5-b8fb-00ee7af070cb which can be used as unique global reference for Cool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2013-10-07

Fiesta

Fiesta Exploit Kit

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fiesta.

Known Synonyms
Fiexp
NeoSploit
Internal MISP references

UUID f50f860a-d795-4f4e-a170-8190f65499ad which can be used as unique global reference for Fiesta in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last Seen: beginning of 2015-07

Empire

The Empire Pack is a variation of RIG operated by a load seller. It's being fed by many traffic actors

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Empire.

Known Synonyms
RIG-E
Internal MISP references

UUID 6eb15569-4ddd-4820-9a44-7bca5b303b86 which can be used as unique global reference for Empire in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2016-12-29
Related clusters

To see the related clusters, click here.

FlashPack

FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FlashPack.

Known Synonyms
CritXPack
FlashEK
SafePack
Vintage Pack
Internal MISP references

UUID 55a30ccc-8905-4af2-a498-5c0010815cc1 which can be used as unique global reference for FlashPack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: middle of 2015-04

Glazunov

Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit

Internal MISP references

UUID 897374fa-6a35-11e8-adc0-fa7ae01bbebc which can be used as unique global reference for Glazunov in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: maybe end of 2013

GrandSoft

GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GrandSoft.

Known Synonyms
SofosFO
StampEK
Internal MISP references

UUID 180b6969-2aca-4642-b684-b57db8f0eff8 which can be used as unique global reference for GrandSoft in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Active

HanJuan

Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015

Internal MISP references

UUID 886abdc6-db1a-4fc5-afe0-e17d65a83614 which can be used as unique global reference for HanJuan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2015-07

Himan

Himan Exploit Kit

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Himan.

Known Synonyms
High Load
Internal MISP references

UUID 3d0cb558-7f04-4be8-963e-5f137566b07b which can be used as unique global reference for Himan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2014-04

Impact

Impact EK

Internal MISP references

UUID 319357b4-3041-4a71-89c5-51be08041d1b which can be used as unique global reference for Impact in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired

Infinity

Infinity is an evolution of Redkit

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Infinity.

Known Synonyms
Goon
Redkit v2.0
Internal MISP references

UUID 4b858835-7b31-4b94-8144-b5175da1551f which can be used as unique global reference for Infinity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2014-07

Lightsout

Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex

Internal MISP references

UUID 244c05f8-1a2f-47fb-9dcf-2eaa99ab6aa1 which can be used as unique global reference for Lightsout in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Unknown - Last seen: 2014-03

Nebula

Nebula Exploit Kit has been built on Sundown source and features an internal TDS

Internal MISP references

UUID 4ca96067-8fdd-4b48-bd34-d2e175e27bad which can be used as unique global reference for Nebula in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen 2017-03-09

Neutrino

Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Neutrino.

Known Synonyms
Job314
Neutrino Rebooted
Neutrino-v
Internal MISP references

UUID 218ae39b-2f92-4355-91c6-50cce319d26d which can be used as unique global reference for Neutrino in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen 2017-04-10
Related clusters

To see the related clusters, click here.

Niteris

Niteris was used mainly to target Russian.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Niteris.

Known Synonyms
CottonCastle
Internal MISP references

UUID b344133f-e223-4fda-8fb2-88ad7999e549 which can be used as unique global reference for Niteris in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Unknown - Last seen: 2015-11

Nuclear

The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nuclear.

Known Synonyms
NEK
Neclu
Nuclear Pack
Spartan
Internal MISP references

UUID e7c516f9-5222-4f0d-b80b-ae9f4c24583d which can be used as unique global reference for Nuclear in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2015-04-30

Phoenix

Phoenix Exploit Kit

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phoenix.

Known Synonyms
PEK
Internal MISP references

UUID 0df2c7a6-046f-4489-8c77-0999c92c839d which can be used as unique global reference for Phoenix in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired

Private Exploit Pack

Private Exploit Pack

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Private Exploit Pack.

Known Synonyms
PEP
Internal MISP references

UUID cfd0a4af-f559-496f-b56b-97145ea4e4c3 which can be used as unique global reference for Private Exploit Pack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired

Redkit

Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer's traffic

Internal MISP references

UUID 6958ff90-75e8-47ee-ab07-daa8d487130c which can be used as unique global reference for Redkit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired

Sakura

Sakura Exploit Kit appeared in 2012 and was adopted by several big actor

Internal MISP references

UUID 12af9112-3ac5-4422-858e-a22c293c6117 which can be used as unique global reference for Sakura in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2013-09

SPL

SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SPL.

Known Synonyms
SPL2
SPLNet
SPL_Data
Internal MISP references

UUID 15936d30-c151-4051-835e-df327143ce76 which can be used as unique global reference for SPL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2015-04

Sundown

Sundown Exploit Kit is mainly built out of stolen code from other exploit kits

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sundown.

Known Synonyms
Beps
Beta
Xer
Internal MISP references

UUID 670e28c4-001a-4ba4-b276-441620225123 which can be used as unique global reference for Sundown in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
colour #C03701
status Retired - Last seen 2017-03-08

Sweet-Orange

Sweet Orange

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sweet-Orange.

Known Synonyms
Anogre
SWO
Internal MISP references

UUID 222bc508-4d8d-4972-9cac-65192cfefd43 which can be used as unique global reference for Sweet-Orange in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2015-04-05

Styx

Styx Exploit Kit

Internal MISP references

UUID 006eaa87-e8a6-4808-93ff-302b52c628b0 which can be used as unique global reference for Styx in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2014-06

WhiteHole

WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422

Internal MISP references

UUID 570bc715-7fe8-430b-bd2e-5512c95f2370 which can be used as unique global reference for WhiteHole in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
status Retired - Last seen: 2013-12

Unknown

Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.

Internal MISP references

UUID 00815961-3249-4e2e-9421-bb57feb73bb2 which can be used as unique global reference for Unknown in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SpelevoEK

The Spelevo exploit kit seems to have similarities to SPL EK, which is a different exploit kit.

Internal MISP references

UUID 00715961-2249-3e2e-8420-bb47feb73bb2 which can be used as unique global reference for SpelevoEK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value