Fortinet: the definition and examples of exploit kits

In cybersecurity terminology, an exploit is a piece of code or program that takes advantage of vulnerabilities or flaws in software or hardware. An exploit is not malware, but rather a way to deliver malware such as ransomware or viruses. The purpose of exploits is to install malware or infiltrate and launch denial of service (DoS) attacks for example.

The recent exponential growth of computing devices, software advancements, and edge and cloud computing has resulted in a corresponding increase in vulnerabilities. Of course, cybercriminals like having more systems to attack with exploit kits.

What is an exploit kit?

Exploit kits (EK) are automated programs used by cybercriminals to exploit systems or applications. What makes an exploit kit very dangerous is its ability to identify victims while they are browsing the web. After targeting a potential victim’s vulnerabilities, attackers can download and execute the malware of their choice.

Review of how exploit kits work

Exploit kits work silently and automatically as they seek to identify vulnerabilities on a user’s machine while browsing the web. Currently, exploit kits are the preferred method for mass distribution of remote access tools (RATs) or malware by cybercriminals, especially those looking to make financial profit from an exploit.

EKs do not require victims to download any file or attachment. The victim simply navigates to a compromised website, and then that site extracts hidden code that attacks vulnerabilities in the user’s browser.

Events that must occur for an exploit kit attack to succeed include:

  • Target a compromised website, which will stealthily divert web traffic to another landing page

  • Running malware on a host, using a vulnerable application as a gateway

  • Send payload to infect host, if and when exploit succeeds

Examples of exploit kits

Below is a list of exploit kits that have been used by cybercriminals in the past:


In the mid-2010s, Angler was one of the most powerful and frequently used EKs that enabled zero-day attacks on Flash, Java, and Silverlight. According to The Register, “At its… peak, authors [of the Angler] were responsible for a whopping 40% of all exploit kit infections that compromised nearly 100,000 websites and tens of millions of users, generating some $34 million a year. »

Black hole

The origins of the Blackhole exploit kit date back to 2010. It was apparently cybercriminals’ favorite tool to execute drive-by downloads for more than three years until its perpetrator was arrested in 2013. After finding a site web that could be exploited, cybercriminals installed the Blackhole exploit kit and exposed visitors to Blackhole-powered attacks. The exploit kit then downloaded malware (often ransomware) onto visitors’ PCs, taking advantage of any browser, Java, or Adobe Flash plug-in vulnerabilities it found.


In 2014, the Fiesta exploit kit gained popularity after the Blackhole exploit kit declined due to its source code being leaked and its founder being arrested. Like previous EKs, Fiesta worked by compromising a vulnerable website. Once the website was compromised, visitors were redirected to Fiesta’s homepage controlled by cybercriminals. Then, different exploits based on the characteristics of the computer were uploaded.

flash pack

The Flashpack exploit kit was also popular with cybercriminals in 2014 when campaigns abused ad networks. Flashpack EK has been used to distribute various malware, including Zeus information-stealing malware, Dofoil Trojan, and Cryptowall ransomware.

Researchers found that Flashpack EK uses free advertisements to spread threats. One example: when users landed on a website that delivered malicious advertisements (malvertising), they were taken through multiple redirects to a Flashpack exploit kit page that delivered ransomware.


GrandSoft exploit kit was another malware-based threat that redirected unsuspecting users and installed password-stealing trojans, ransomware and clipboard hijackers on their machines. In 2019, GrandSoft EK was pushing Ramnit banking trojan that attempted to steal victims’ saved login credentials, online banking credentials, FTP accounts, browser history, site injections, and more.


In 2015, the HanJuan exploit kit was popular and helped cybercriminals facilitate malvertising attacks. It used fake advertisements and shortened URLs to trick users into landing on a web page containing a HanJuan EK targeting vulnerabilities in Adobe Flash Player (CVE-2015-0359) and Internet Explorer browser (CVE-2014-1776 ).


Another exploit kit that was popular in 2015 with cybercriminals was the Hunter EK, which initially targeted Brazilians via a phishing email. When the victim’s machine was seized, a variant of a Brazilian banking Trojan known generically as “Bancos” was launched. It was a Brazilian banking Trojan that used man-in-the-browser (MITB) techniques to steal banking credentials and other financial information.


The Magnitude exploit kit, like other EKs, is a framework hosted by malicious actors to target browser vulnerabilities, especially for Internet Explorer. Because IE’s popularity has changed, Magnitude exploit kits that target Microsoft’s browser have been much less active. Yet, as recently as 2019, cybercriminals were using Magnitude EK in specific geographic regions where IE had a significant market share, such as South Korea.

In the fall of 2021, safety week reported that Magnitude EK is “active” after “adding exploits for CVE-2021-21224 and CVE-2021-31956 to its arsenal”.


According to the Bank Info Security website, the Neutrino EK was “at one time [2016] ranked as one of the most popular exploit kits in the world. Also known as exploit packs, these tools allow anyone – no coding experience required – to launch large-scale campaigns designed to infect massive amounts of PCs with malware, turning them into nodes “zombies” in a botnet.”


The nuclear exploit kit was another favorite of cybercriminals in the mid-2010s. According to an April 2016 Ars Technica article, Nuclear EK had “a sophisticated multi-tiered server architecture, with a single master server providing automatic updates to “console” servers – the systems used by paying customers to access and customize their particular paid attack packages. . These console servers in turn maintain a rotating stock of landing pages delivered via malicious links, exploited web pages and malicious advertisements.”


In a November 2016 article on the ThreatPost site, the author states that at the time “the most prolific exploit kit was RIG, which filled a void left by the departure of Angler, Neutrino and Nuclear” . The post goes on to describe the “unique” way in which “the RIG exploit kit combines different web technologies such as DoSWF, JavaScript, Flash, and VBscript to obfuscate attacks.” Threat researchers add that “an RIG attack is a three-pronged attack strategy that leverages JavaScript, Flash, VBscript-based attacks as needed.”


End of 2016, safety weekpublished an article on its website about the Sundown exploit kit which used “a technique called steganography to hide its exploits in innocuous-looking image files”. The practice of hiding information in a file is now becoming “increasingly used by malicious actors, including malvertising campaigns”.

Analysis of Sundown EK incursions revealed that attackers were using PNG images to conceal various exploits, including those targeting vulnerabilities in Internet Explorer and Flash Player.

sweet orange

The Sweet Orange exploit kit was also popular with criminals in the mid-2010s. It targeted Windows operating systems Windows 8.1 and Windows 7 as well as Internet Explorer, Firefox, and Google Chrome web browsers. The authors of Sweet Orange EK attempted to block the security community from accessing the kit’s source code. To do this, they have restricted the posts on cybercrime-friendly web communities and sold the kit only to those with a reputation as a cybercriminal.

Learn more about the story

Today, older kits have been leaked and are publicly available. Attackers have taken these older kits and modified them to make them more resistant to new security detection strategies. Additionally, many of these kits are advertised for sale online. The attackers offer these kits for rent on these sites and offer support and update contracts to ensure that they work against future updates.

What should you do?

oh Protect your endpoints: Advanced, automated endpoint protection, detection and response.

oh Web Security: Protection against web threats hidden in encrypted or unencrypted traffic.

oh Internal segmentation: Segment network and infrastructure assets regardless of location, on-premises or across multiple clouds.

oh Zero Trust Access: As users continue to work from anywhere and IoT devices flood networks and operational environments, continuous verification of all users and devices as they access enterprise applications and data is required.

Learn how Fortinet’s Endpoint Security and Device Protection solutions protect every user and device on and off the network.

Comments are closed.