Spotted by Symantec in the wild  patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kit.

Neutrino Exploit Kit :
Here 2016-07-13 but i am being told that i am late to the party.
It's already [CN] documented here

Neutrino after ScriptJS redirector dropping Locky Affid 13- 2016-07-13


Flash sample in that pass : 85b707cf63abc0f8cfe027153031e853fe452ed02034b792323eecd3bc0f7fd
(Out of topic payload : 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 - Locky Affid 13 )


Thanks to Malc0de for invaluable help here :)

Files Here: Neutrino_CVE-2016-0189_160714 (Password is malware - VT Link)

Sundown :
Some evidence of CVE-2016-0189 being integrated in Sundown were spotted on jul 15 by @criznash
On the 16th I recorded a pass where the CVE-2016-0189 had his own calls :

Sundown exploiting CVE-2016-0189 to drop Smokebot on the 2016-07-16
(Out of topic payload :  61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d0dc1a65f7de812a3a1 beaconing to : vicolavicolom.com | 185.93.185.224 )
Files : Sundown_CVE-2016-0189_160716 (password is malware)


Edits :
2016-07-15 a previous version was stating CVE-2015-5122 for nw23. Fixed thanks to @dnpushme
2016-07-20 Adding Sundown.

Read More :
Patch Analysis of CVE-2016-0189 - 2016-06-22 - Theori
Neutrino EK: fingerprinting in a Flash - 2016-06-28 - Malwarebytes

Post publication Reading :
Exploit Kits Quickly Adopt Exploit Thanks to Open Source Release - 2016-07-14 - FireEye
Loading