Exploit - Úvod  Remote Exploint  Web Applications  Local&Privilege Escalation  DoS & PoC  ShellCode  Exploit  Exploit program  Exploit techniky  Exploint kit  Typy Exploitů

- Exploit kit -



Co je to Exploit kit

Exploit kit je softwarová sada navržený k útoku na webové servery , za účelem identifikace softwarové zranitelnosti v klientských počítačích komunikaci s ním, a objevování a využití zranitelnosti nahrát a spustit škodlivý kód na straně klienta. Jeden ze starších souprav byla MPack , v roce 2006. Exploit soupravy jsou často navrženy tak, aby bylo modulární a snadno ovladatelný, což umožňuje přidávání nových zranitelností a odstranění stávajících.

JexBoss Exploit Kit

The exploit kit takes advantage of vulnerable JBoss applications and is one of the main attack vectors for spreading SamSam ransomware. The open source tool is freely available on GitHub.

SofosFO/Stamp Exploit Kit

The exploit kit, also known as GrandSoft, uses compromised websites to infect users with browser vulnerabilities containing Flash or Java components. The exploit kit is used to infect victims with ransomware, miners, and various Trojans.

Neutrino Exploit Kit

Neutrino and its predecessor Neutrino-v are popular exploit kits that surged in mid-2016. They are known for using compromised sites and malvertising to infect users with various malware.

Magnitude Exploit Kit

Also known as Popads, Magnitude is used in malvertising attacks to infect victims who visit compromised websites. The exploit kit is known to infect users with a range of ransomware with a focus on users in South Korea.

RIG Exploit Kit

RIG is spread via suspicious advertisements that have been inserted into legitimate websites. The VIP version of the exploit kit, RIG-v, appeared in 2016 and uses new URL patterns.

Bizarro Sundown
Exploit Kit

The exploit kit, also known as GreenFlash, was first spotted in October of 2016 and is a predecessor to the Sundown exploit kit. The private EK is only used by the ShadowGate group (aka WordsJS).

KaiXin Exploit Kit

The exploit kit (also known as CK VIP) is reported to have originated from China and focuses on users who visit compromised Korean websites. KaiXin resurfaced in 2018 and is infecting users with the Gh0st Remote Access Trojan.

ThreadKit Exploit Kit

The exploit kit is used to create malicious Microsoft Office documents in an attempt to exploit a range of Microsoft vulnerabilities. The builder is sold on the Dark Web and has been used to infect victims with various malware including FormBook, Loki Bot, Trickbot, and Chthonic.

Underminer Exploit Kit

The exploit kit protects its own exploit code and C2 traffic with RSA encryption and takes advantage of flaws in Microsoft Internet Explorer and Adobe Flash Player to infect users with a range of malware including crypto-miners and bootkits.

Fallout Exploit Kit

The exploit kit was discovered in August 2018 and takes advantage of flaws in Adobe Flash Player and Microsoft Windows. A successful infection will allow the attacker to download additional malware onto the victims computer.


Angler is one of the most sophisticated EKs used by cybercriminals today and was first observed in 2013. Angler uses malvertising to direct users to its servers, and is known to exploit Adobe Flash Player, Internet Explorer, Microsoft Silverlight, Java, and ActiveX. Angler infects users with ransomware and point-of-sale (PoS) malware. It uses various techniques to defeat traditional detection methods including unique obfuscation, antivirus and virtualization software detection, encrypted payload, and fileless infections. Angler is also very quick at integrating new zero-day exploits in its kit, specifically targeting vulnerabilities in Adobe Flash Player.

Bizarro Sundown

Bizarro Sundown is a new exploit kit (EK) created based on the Sundown EK. Bizarro Sundown shares many of the same features as the Sundown EK, with the addition of anti-analysis capabilities. The EK was first observed by Trendmicro on October 5th with a second sighting on October 19th. The first attack exploited a memory corruption flaw in Microsoft’s Internet Explorer and use-after-free and out-of bound read vulnerabilities in Adobe Flash Player.


Blackhole became a very popular and preferred exploit kit tool from about 2010 until October of 2013 when its alleged creator, Paunch, was arrested in Russia. Since his arrest, Blackhole EK has sharply declined in use and popularity as its modules haven’t been updated with exploits targeting new vulnerabilities. It was thought to be the end of Blackhole until security firm Malwarebytes noticed a resurfacing of what appeared to be Blackhole EK in drive-by download attacks, exploiting Java and PDF vulnerabilities.


DNSChanger EK, first discovered by researchers at Proofpoint, is used to take control and change the settings of small office and home routers. In 2015, DNSChanger used cross-site request forgery (CSRF) attacks to hijack routers. This campaign largely affected users in the U.S., Australia, Turkey, Russia, Brazil, India, Argentina, Morocco, and Italy. As of December 2016, the EK was using a malvertising campaign to deliver exploit code to infected routers in order to insert ads into every site the user visits. The attackers buy ads on legitimate websites and inject malicious JavaScript code that will then determine the user’s local IP address.


Fallout is an exploit kit (EK) first identified at the end of August 2018. It was first seen as a part of a malvertising campaign affecting users in Japan, Korea, the Middle East, Southern Europe, and others in the Asia Pacific. Fallout was observed exploiting vulnerabilities CVE-2018-4878 and CVE-2018-8174 and distributing the GandCrab ransomware to users in the Middle East.


Fiesta was first released in 2008 and gained popularity with the decline of Blackhole EK. Fiesta was developed to deliver crypto-ransomware and fake antivirus malware payloads to its victims and exploits vulnerabilities in Flash, Internet Explorer, Adobe Acrobat Reader, and Microsoft Silverlight, and has the capability of terminating running processes and disabling common system tools to make detection and removal more difficult. Two-thirds of Fiesta-related traffic occurred in three countries: United States, Japan, and Australia.

Floki Bot

The exploit kit Floki Bot was discovered in September 2016 being advertised for $1,000 on a hacker forum. According to the developer, Floki Bot was designed to be multipurpose and bypass antivirus protection. To accomplish this, it decompresses its payload and is injected via NtReadVirtualMemory, eventually becoming a part of a system parent process. Additional modifications include using another network protocol to conceal itself from Deep Packet Inspection and provide a source of encrypted configuration files to bots through gate[.]php. Floki Bot reportedly has a distinctive capability to exfiltrate payment card information during live point-of-sale terminal transactions.


Magnitude made itself known in October of 2013 when it breached the servers of PHP.net, a popular scripting language development website, and redirected the site’s visitors to its landing page using a compromised JavaScript file. It then exploited vulnerabilities in Java and Flash to deliver malicious payloads like Zeus, Andromeda, Necurs, Zusy, and Ngrbot. Magnitude was later used in an attack against Yahoo and WordPress website users. Magnitude operates as a pay-per-campaign model and its customers are responsible for generating traffic to the kit’s landing pages. The sellers of the Magnitude EK require 5-20% of the user’s malicious traffic in order to turn a profit and stand to make nearly $3 million solely by maintaining infrastructure.


Neutrino was discovered in 2012 and remains active, exploiting vulnerabilities in all Java versions at least up to Java 7 Update 11. Neutrino downloads a ransomware variant on the victim’s machine when it successfully finds a vulnerable target. It features a user-friendly control panel, continuously monitors the status of present antivirus software, filters network traffic, and encrypts stolen information before sending it back to the server. Neutrino developers often purchase iframe traffic in order to generate additional revenue.


In December 2018, Trend Micro identified a new exploit kit (EK), Novidade, used across multiple campaigns. Novidade samples first appeared in August 2017, and its use is believed to have spread due to source code leaking online or through sale to multiple threat groups. Researchers determined the largest campaign using the EK was delivered over 24 million times since March 2018. Novidade targets small office and home (SOHO) routers, poisoning their Domain Name System (DNS) settings to resolve legitimate domain requests to phishing IPs hosted by the threat actor, known as a pharming attack. The malicious IPs will attempt to steal user banking credentials through spoofed websites.


Nuclear dates back to 2009 and remains one of the most widely used EKs. It exploits vulnerabilities in Active X, Flash, Internet Explorer, Java, PDF, and Silverlight, and disseminates malware and ransomware. Nuclear can detect if antivirus software is running and, if found, it terminates the associated process as well as antivirus driver files. Security researchers at Trend Micro estimate the number of daily infected users spiked to 12,500 in May 2015 and the top three countries affected are Japan, the United States, and Australia.


RIG was discovered in 2014 and remains one of the most active exploits kits today. In February 2015, a security researcher from MalwareTech reported that an underground reseller leaked RIG’s source code after being banned from a hacker forum for trying to scam customers. However, on August 3, 2015, Trustwave reported that the author of the original RIG EK released an updated version, labeled RIG 3.0, which maintains the exploitation percentage of the previous version while vastly increasing the number of times it exposes victims to its landing page.


Sundown exploit kit (EK), also known as Beta, is not as sophisticated as other EKs and conducted limited activity in the first half of 2016, following the sudden drop-off in Angler and Nuclear EK activity. Sundowntypically infects users through malvertising and was the first EK to exploit a vulnerability in Internet Explorer, CVE-2015-2444, in August 2015. By exploiting this vulnerability, attackers were able to inject an iframe into a legitimate website, redirecting users to an obfuscated landing page with the Sundown EK.


Stegano Exploit Kit (EK), also referred to as "Astrum," was discovered by ESET researchers in October 2016 targeting users in Canada, Britain, Australia, Italy, and Spain, likely chosen based on the advertising networks the perpetrators could abuse. In the latest campaign, the exploit kit spreads via malvertising by delivering malicious code hidden in the pixels of PNG images used for banner ads. The “Stegano” name comes from the word steganography – the technique of hiding content inside other content. The malicious code redirects users to an intermediary URL where the host server filters users.

Sweet Orange

Sweet Orange emerged in 2012 to fill the void left behind by the Blackhole EK after its author was arrested and it quickly rose in popularity among cybercriminals. Sweet Orange contains many of the same features as other variants, including a database that records a list of successful infections, statistics about various current exploits, and regular malware updating. It is also capable of evading and disabling sandboxes. Much like the author of Blackhole attempted to do, the Sweet Orange authors have devised ways to prevent the security community from obtaining the kit’s source code by minimizing advertising and brokering only to trusted buyers.


Terror exploit kit, also known as Neptune EK, was first detected in early December 2016 by researchers at Trustwave and Malwarebytes. It is poorly assembled, hosting its landing pages and exploits on the same server. This EK delivers all exploit packages to all users that visit the landing pages, a technique known as “carpet bombing,” instead of using filters to only target vulnerable users. As of December 2016, it exploited vulnerabilities in Internet Explorer, Adobe Flash, and Firefox, but the EK was pulled off the web shortly after posting.

SofosFO Exploit Kit


Sakura Exploit Kit


RedKit Exploit Kit


Popads Exploit Kit


Impact Exploit Kit


g01Pack Exploit Kit


Neutrino exploit kit


Nuclear exploit kit


Blackhole exploit kit


Rig exploit kit


FlashPack exploit kit


Fiesta exploit kit


Neosploint exploit kit