Disclaimer : I won't study this one in details. The global logic should not be far from The Styxy Cool or Styx itself. Once again just a "connecting some dots" post.
Since many months what i was mentally naming "Weird Styx" that was really similar to Kein/Styx Kein puzzled me.
|2013-01-22 - "a Weird Styx"|
This was as Styxy as an exploit kit can be...but not as randomized as Styx was.
Exploits were rotating really slowly as in Kein.
I would not be surprised if the coder of the exploits/scheme of Styx, Styxy Cool, Kein and Null Hole is the same.
|Null Hole - Login Page|
|Null Hole - 1 API Call (Used for instance by TDS to get the actual landing)|
|Null Hole - Raw Stats on one Thread|
|Null Hole - Partner management|
|Null Hole. A bunch of Sploits.|
Null Hole - Manage Clone (vhosts/proxies)
It was pushed in Both Nuclear Pack and Null Hole.
This is the Null Hole thread :
|Null Hole 2014-09-29|
The number of Victims of that thread : 770.
This Exploit Kit seems to be blinking. Used few weeks...disappear a month or two.
Here is a fresh pass (Thanks to : @robemtnez )
|Null Hole - 2014-11-17|
Here: Firing CVE-2014-0515 - 2014-0569 (Thx TimoHirvonen)
You'll find a Pcap from Brad here.
Weird Styx Styx Null Hole