Blog Archive

2020-02-28 › Choose Again.

This is the End. Read More ›

2019-01-16 › CVE-2018-15982 (Flash Player up to 31.0.0.153) and Exploit Kits

The CVE-2018-15982 is a bug that allows remote code execution in Flash Player up to 31.0.0.153 Read More ›

2018-05-25 › CVE-2018-8174 (VBScript Engine) and Exploit Kits

The CVE-2018-8174 is a bug that allows remote code execution via the VBScript Engine, spotted in the wild as a 0day at the end of April 2018, announced by Qihoo360 Read More ›

2018-03-09 › CVE-2018-4878 (Flash Player up to 28.0.0.137) and Exploit Kits

The CVE-2018-4878 is a bug that allows remote code execution in Flash Player up to 28.0.0.137, spotted in the wild as a 0day, announced by the South-Korean CERT on the 31st of January. Read More ›

2018-03-07 › The King of traffic distribution

Disclaimer: This post is hosted here as a courtesy to the author who prefers to remain anonymous. MDNC was not involved in any way with this study. Read More ›

2017-10-16 › CoalaBot: http Ddos Bot

A Ddos Bot advertised underground since August 2017. Read More ›

2017-03-02 › Bye Empire, Hello Nebula Exploit Kit.

While Empire (RIG-E) disappeared at the end of December after 4 months of activity, on 2017-02-17 an advert for a new exploit kit dubbed Nebula appeared underground. Read More ›

2017-01-06 › CVE-2016-7200 & CVE-2016-7201 (Edge) and Exploit Kits

CVE-2016-7200 & CVE-2016-7201 are vulnerabilities in the Chakra JavaScript scripting engine in Microsoft Edge. Reported by Natalie Silvanovich of Google Project Zero, those have been fixed in november 2016 (MS16-129) by Microsoft. Read More ›

2016-10-02 › RIG evolves, Neutrino waves goodbye, Empire Pack appears

About built-in TDS in exploit kit and Neutrino going private. Read More ›

2016-09-26 › Fox stealer: another Pony Fork

A stealer sold underground since August 2016 Read More ›

2016-07-14 › CVE-2016-0189 (Internet Explorer) and Exploit Kits

Spotted by Symantec in the wild patched with MS16-051 in may 2016, CVE-2016-0189 is now being integrated in Exploit Kits. Read More ›

2016-06-11 › Is it the End of Angler ?

Everyone looking at the DriveBy landscape is seeing the same : as Nuclear disappeared around April 30th, Angler EK has totally vanished on June 7th. We were first thinking about Vacation as in January 2016 or maybe Infrastructure move. But something else is going on. Read More ›

2016-05-21 › CVE-2016-4117 (Flash up to 21.0.0.213) and Exploit Kits

Discovered being exploited in the wild by FireEye [1] on May 8, 2016, patched 4 days later with Flash 21.0.0.242, CVE-2016-4117 is making its way to Exploit Kits. Read More ›

2016-05-15 › U-Admin (Universal Admin): A Phishing(Web&Android)/Grabber/ATS/Token kit

A multi-purpose Kit advertised underground since 2015-11-16 Read More ›

2016-04-14 › Bedep has raised its game vs Bot Zombies

Bedep could be described as a fileless loader with a resident module that can optionally perform AdFraud. It's intimate to Angler EK and appeared around August 2014. Read More ›

2016-04-08 › CVE-2016-1019 (Flash up to 21.0.0.182/187) and Exploit Kits

Spotted in a “degraded” version on the 2016-04-02 in Magnitude, live also since 2016-03-31 in Nuclear Pack Read More ›

2016-03-26 › CVE-2016-1001 (Flash up to 20.0.0.306) and Exploit Kits

Two weeks after Flash patch, two months after last Flash exploit integration in Angler, on the 2016-03-25 Angler EK, in some threads, is starting to send an exploit to Flash Player 20.0.0.270 and 20.0.0.306 Read More ›

2016-02-22 › CVE-2016-0034 (Silverlight up to 5.1.41105.0) and Exploit Kits

Fixed with the January 2016 Microsoft patches, CVE-2016-0034 ( MS16-006 ) is a Silverlight Memory Corruption vulnerability and it has been spotted by Kaspersky with rules to hunt Vitaliy Toropov’s unknown Silverlight exploit mentioned in HackingTeam leak. Read More ›

2016-02-10 › Cryptowall son of Borracho (Flimrans) ?

Lately I received multiple questions about connection between Reveton and Cryptowall. I decided to have a look. Read More ›

2016-01-25 › CVE-2015-8651 (Flash up to 20.0.0.228/235) and Exploit Kits

Angler has just integrated CVE-2015-8651 patched with Flash 20.0.0.270 on 2015-12-28 Read More ›

2015-12-21 › XXX is Angler EK

As I got many questions about an EK named XXX (that is said to be better than Angler ;) ) I decided to share some data here. Read More ›

2015-12-15 › CVE-2015-8446 (Flash up to 19.0.0.245) And Exploit Kits

One week after patch Flash 19.0.0.245 is being exploited by Angler EK via CVE-2015-8446 Read More ›

2015-12-01 › Nuclear Pack loads a fileless CVE-2014-4113 Exploit

CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability ) spotted in Nuclear Pack Read More ›

2015-11-28 › Inside Jahoo (Otlard.A ?) - A spam Botnet

Otlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response ) is a Spam Botnet Read More ›

2015-10-29 › CVE-2015-7645 (Flash up to 19.0.0.207) and Exploit Kits

The CVE-2015-7645 has been fixed with Adobe Flash Player 19.0.0.226. Spotted in the wild (2015-10-13) in APT28's exploit kit by TrendMicro, this exploit was already reported 2 weeks before (2015-09-29) to Adobe by Natalie Silvanovich. Read More ›

2015-10-15 › A DoubleClick https open redirect used in some malvertising chain

VirtualDonna group abusing https open redirect to drive traffic to Exploit-Kit Read More ›

2015-09-24 › Shifu <3 Great Britain

A shift in malware distribution in the UK. Read More ›

2015-08-31 › CVE-2015-5560 (Flash up to 18.0.0.209) and Exploit Kits

Patched with flash version 18.0.0.232, CVE-2015-5560 is now being exploited by Angler EK. Read More ›

2015-08-11 › CVE-2015-2419 (Internet Explorer) and Exploits Kits

As published by FireEye Angler EK is now exploiting CVE-2015-2419 fixed with MS15-065 Read More ›

2015-07-21 › CVE-2015-1671 (silverlight up to 5.1.30514.0) and Exploit Kits

Patched with ms15-044 CVE-2015-1671 is described as TrueType Font Parsing Vulnerability. Silverlight up to 5.1.30514.0 are affected Read More ›

2015-07-11 › CVE-2015-5122 (HackingTeam 0d two - Flash up to 18.0.0.203) and Exploit Kits

Another 0d ( Patch expected in the coming week) was part of the files leaked from the HackingTeam compromission. Read More ›

2015-07-08 › CVE-2015-5119 (HackingTeam 0d - Flash up to 18.0.0.194) and Exploit Kits

As we are all aware, a 0d (for which a patch is expected tomorrow) was part of the files leaked from the HackingTeam compromission. Read More ›

2015-07-05 › A fileless Ursnif doing some POS focused reco

Malware doing some reco from memory Read More ›

2015-07-03 › Kovter AdFraud is updating Flash Player (and Internet Explorer)

Kovter is updating flash player on infected computer since end of June 2015 Read More ›

2015-06-28 › CVE-2015-3113 (Flash up to 18.0.0.160) and Exploit Kits

Patched four days ago (2015-06-23) with Flash 18.0.0.194, the CVE-2015-3113 has been spotted as a 0day by FireEye, exploited in limited targeted attacks. It's now making its path to Exploit Kits Read More ›

2015-06-16 › CVE-2015-3104/3105 (Flash up to 17.0.0.188) and Exploit Kits

Spotted by TrendMicro, Magnitude is now exploiting CVE-2015-3105 patched with Flash 18.0.0.160 Read More ›

2015-06-08 › Fast look at Sundown EK

There is nothing worth a post there...except mentionning this EK is around. Read More ›

2015-05-27 › CVE-2015-3090 (Flash up to 17.0.0.169) and Exploit Kits

As spotted by FireEye Angler EK is now exploiting CVE-2015-3090 patched with Flash 17.0.0.188 Read More ›

2015-05-25 › On the other side of CTB-Locker : the Affiliate server.

A look at the CTB panel from an affiliate point of view. Read More ›

2015-05-22 › An Exploit Kit dedicated to CSRF Pharming

A look at a Malvertising driving traffic to a "Router Exploit-Kit" Read More ›

2015-05-12 › Another look at Niteris : post exploitation WMI and Fiddler checks

In this post we'll see some of the improvements that have been brought to Niteris. Read More ›

2015-04-24 › CVE-2015-0359 (Flash up to 17.0.0.134) and Exploit Kits

As spotted by FireEye on 2015-04-17, Angler EK is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.169 ) Read More ›

2015-03-20 › CVE-2015-0336 (Flash up to 16.0.0.305) and Exploit Kits

As reported by Malwarebytes and FireEye, Nuclear Pack is now taking advantage of a vulnerability patched with the last version of Flash Player ( 17.0.0.134 ) Read More ›

2015-03-04 › New crypto ransomware in town : CryptoFortress

Yet another crypto-ransomware appeared in the wild. Read More ›

2015-02-11 › CVE-2015-0313 (Flash up to 16.0.0.296) and Exploit Kits

Reported by TrendMicro (2015-02-02), fixed with Adobe Flash Player 16.0.0.305, the code to exploit CVE-2015-0313 has been introduced in Hanjuan Exploit Kit at beginning of december 2014. Read More ›

2015-02-05 › Reveton's design refreshed - Winter 2015

Those days Reveton is mainly pushed on adult traffic via “standalone” CVE-2015-0311 flash (posing as advert) calling an Xtea encoded stream. After not far from 2 years with the same design it's now showing some fresh clothes. Read More ›

2015-01-29 › CVE-2015-0311 (Flash up to 16.0.0.287) integrating Exploit Kits

Patched with Flash 16.0.0.296 the CVE-2015-0311 has been first seen exploited by Angler EK ( 2015-01-20 ) , soon after used in "standalone" mode in huge malvert campaign Read More ›

2015-01-21 › Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK

Angler EK spotted exploit unpatched vulnerability in Flash Player Read More ›

2015-01-16 › CVE-2015-0310 [Not ! CVE-2014-9162/CVE-2014-9163] (Flash 15.0.0.242 and below) integrating Exploit Kits

I couldn't write about it earlier but this is not CVE-2014-9162/9163. It's CVE-2015-0310 which was an unpatched bug in Flash Player but as coder were not aware it seems (not fired to Flash > 15.0.0.242) this post was leaved untouched. Read More ›

2015-01-13 › Guess who's back again ? Cryptowall 3.0

And almost two months after last sample, Cryptowall is back. Read More ›

2015-01-10 › Inside Android LockOut System aka PornDroid

A look inside a Koler (Android Ransomware) Panel Read More ›

2014-12-28 › Critroni += NL and IT += DE += ES

Critroni/CTB Locker is adding support for more languages Read More ›

2014-11-23 › Call me Null Hole maybe ?

A quick look at yet another Exploit-Kit : Null Hole. Read More ›

2014-11-21 › CVE-2014-6332 (Internet Explorer) and Exploits Kits

The first encounter was in the Sweet Orange from the actor pushing DarkShell via KR compromised website. Read More ›

2014-11-21 › Neutrino : The come back ! (or Job314 the Alter EK)

In September a post from Alter appeared on underground. He was searching for traffic to test an exploit kit he was building. Read More ›

2014-11-20 › CVE-2014-8440 (Flash up to 15.0.0.189) and Exploit Kits

Once again that's fast. Nine day (or less?) after patch the vulnerability is being exploited in blind mass attack. Read More ›

2014-10-28 › The worst of Windows "Police Locker" is also available on Android

Koler using sick method to try and get payment. Read More ›

2014-10-21 › CVE-2014-0569 (Flash Player) integrating Exploit Kit

A proof of concept (for Flash 14.0.0.145) of a heap-based buffer overflow patched on September 9th, was published on September 30th on Packet Storm . Code targeting that CVE is now in Nuclear Pack. Read More ›

2014-10-02 › CVE-2013-7331/CVE-2015-2413 (onload variant) and Exploit Kits

As we can see more and more of those "XMLDOM" checks in exploit kits i decided to write here some of the checks spotted. Read More ›

2014-09-14 › Say Hello to Astrum EK

A look at an undocumented Exploit-Kit Read More ›

2014-08-31 › Angler EK : now capable of "fileless" infection (memory malware)

Angler EK is able to infect an host without writing the malware on the drive Read More ›

2014-08-06 › A ScarePakage variant is targeting more countries : impersonating Europol and AFP

ScarePackage is advertised on underground since beginning of July as "Android Locker" by the seller of a fork of Titan Read More ›

2014-07-18 › "Crypto Ransomware" CTB-Locker (Critroni.A) on the rise

Advertised since middle of june on Underground, CTB-Locker (Curve-Tor-Bitcoin Locker) is flagged Critroni.A by Microsoft. Read More ›

2014-07-15 › SkyShare : Evolution Mining Botnet System

A look at SkyShare: a botnet advertised underground since January 2014. Read More ›

2014-07-10 › Bye Bye Flash EK ? (and Windigo group adapting)

Some days ago researchers following closely the exploit kit landscape started to notice some problem on Flash EK Read More ›

2014-07-07 › From Alureon/Wowliks to Poweliks botnet (distribution in Affiliate mode)

A look at Poweliks distribution and stats Read More ›

2014-06-21 › BotnetKernel (MS:Win32/Phdet.S) an evolution of BlackEnergy

BotnetKernel an evolution of BlackEnergy Ddos botnet Read More ›

2014-06-19 › Titan Browlock System

Browlock are around since past summer. It's mainly advertised in Affiliate mode but Titan Browlock was sold as a Kit. Read More ›

2014-06-18 › Neutrino Bot (aka MS:Win32/Kasidet)

Advertised on underground by n3utrino since december 2013 Neutrino Bot is another “HTTP stress testing tool”, read DDos Bot. Read More ›

2014-06-12 › MBAE (Malwarebytes Anti-Exploit) vs All EKs (Exploit Kits)

Sturying an undocumented Exploit-Kit mainly focused on Russia Read More ›

2014-06-07 › CVE-2014-0515 (Flash 13.0.0.182 and earlier) integrating Exploit Kits

Discovered by Kaspersky in April in watering hole attack, soon after used in operation targeting Banking information in Japan/Korea by Symantec, reached Exploit DB at begining of may, then in malwertising tied to Brazil 2014 by Spiderlabs, the code targeting CVE-2014-0515 (Flash 13.0.0.182 and earlier) has find its way to Exploit Kits. Read More ›

2014-06-04 › Simplocker : The Advert

Sharing the advert of this new “Cryptolocker” for #Android OS devices Read More ›

2014-05-10 › SevPod : The Waledac (Spambot.Kelihos) Affiliate by Severa

A look inside the Kelihos affiliate Panel Read More ›

2014-05-04 › Police Locker land on Android Devices

The “Reveton team” has diversified its locking activity. The advert is old (2014-02-18) but i decided to write about it today as I found a TDS using almost all features proposed by this affiliate including the android locker. Read More ›

2014-04-27 › BlackHat-TDS (v1.4)

In middle of December 2013, XShaman started to advertised a new TDS: BlackHat-TDS a remake of Ninja TDS Read More ›

2014-04-13 › Communizm : the Ramdo/Redyms Affiliate

A look at the Redyms affiliate: Communizm Read More ›

2014-04-01 › Angler "April Fish"

The impossible path Read More ›

2014-03-24 › CVE-2014-0322 integrating Exploit Kits

CVE-2014-0322 appeared reached the Exploit-Kit market with Fiesta Read More ›

2014-02-27 › CVE-2014-0497 (Flash up to 12.0.0.43) integrating Exploit Kits

Twenty-two days after patch, Angler EK is introducing today a new Flash Exploit: CVE-2014-0497 Read More ›

2014-02-06 › And real name of Magnitude is....

Associating Magnitude to Underground discussions Read More ›

2014-02-02 › CVE-2013-5330 (Flash) in an unknown Exploit Kit fed by high rank websites

Redirection on eHow and Livestrong to an undocumented Exploit-Kit Read More ›

2014-01-30 › Icepol ? Urausy via Opener XXX : a subaffiliate of BestSoft/BestAV

A look at an Urausy sub-Affiliate Read More ›

2014-01-27 › Grandclix - a Clicksor Traffic Reseller...

A look at a traffic seller operation Read More ›

2014-01-15 › CVE-2013-3918 (IE) integrates exploit Kits

On november 8, 2013 FireEye reported a new IE Zero-Day. The exploit appeared for sale on underground on the 2013-12-20 Read More ›

2013-12-24 › CVE-2013-5329 integrated in Exploit Kits

CVE-2013-5329 has been patched on 2013-11-12. Angler won't try to exploit Flash 11.9.900.152 and 170. Read More ›

2013-12-17 › Nitmo ? No ! ... just "iBanking" used by a (the?) Neverquest/Vawtrak team

iBanking appeared underground in october 2013 Read More ›

2013-12-07 › One ...random...Gameover Zeus Team Pony sample Story

Share some intel on the sample pointed by SpiderLabs in the “Moar Pony” FAQ. Read More ›

2013-12-04 › Reveton planting "evidences" on "the crime scene"

Reveton is dropping images on victims computer Read More ›

2013-11-17 › MagicTraffic : a look inside a Zaccess/Sirefef affiliate

A look at the panel of a Zaccess affiliate Read More ›

2013-11-13 › CVE-2013-0074/3896 (Silverlight) integrates Exploit Kits

A silverlight exploit is being integrated into Exploit Kits. Read More ›

2013-11-06 › Inside a (The?) Simda Affiliate : Партнёрка Podmena (formerly Chesto)

Simda being distributed in Affiliate mode can be found via many different infection vectors. Read More ›

2013-11-01 › CVE-2013-2551 and Exploit Kits

This vulnerability has been exploited during Pwn2Own 2013 by VUPEN the 2013-03-07 Read More ›

2013-10-26 › Magnitude EK : Pop Pop !

Magnitude is a community name choosen for an Exploit Kit previously referred to as “Popads”. Read More ›

2013-10-23 › Big Andromeda Campaign back on track. From Sweet Orange to Neutrino

A huge campaign fuelled by compromised website is back alive and switched to Neutrino EK Read More ›

2013-10-21 › Kovter becomes even more abominable . Also add new targets.

Kovter is following Revoyem's path. Double shock on victims and new targeted countries. Read More ›

2013-10-20 › Jolly Roger Stealer - Stoberox.B(?)/Zlader.F

A new stealer is advertised underground since 2013-10-04 Read More ›

2013-10-15 › Urausy is going Regional in United States

From Country specific Urausy design are now moving down to the State level. Read More ›

2013-10-14 › Meet Madness Pro or Few days rise of a Ddos Botnet

A freshly advertised Ddos Botnet being deployed via Angler EK Read More ›

2013-10-11 › Paunch's arrest...The end of an Era !

If you are reading this you already know that Paunch, the coder behind Blackhole, has been arrested. Read More ›

2013-10-10 › Late Disclosure - Darkleech Actors /Home/ - some numbers

A peek inside the huge blackhole spreading Nymaim Read More ›

2013-10-08 › Flimrans Affiliate : Borracho

In middle of may a new Ransomware appeared pushed in a new Exploit Kit dubbed Flimkit. Read More ›

2013-10-02 › HiMan Exploit Kit. Say Hi to one more.

A look at another undocumented Exploit-Kit: Himan. Read More ›

2013-09-21 › Cookie-Bomb : The "Северная Сказка" Iframer way

The TDS/Iframer behind many redirection from compromised website Read More ›

2013-09-20 › jre7u21 and earlier Click-2-Play Warning Bypass integrating Exploit Kits

CVE-2013-2460 and 2472 are now being used by Exploit-Kits with a Warning Bypass Read More ›

2013-09-12 › Revoyem goes international - shocking distribution....

The dirty Revoyem (aka DirtyDecrypt) ransomware seems to have appeared at the end of March 2013 and was targeting Germany and Great Britain only. It looks like they are now going international and are really aggressive in the way they distribute it. Read More ›

2013-09-09 › Finally ! Here is ... GrandSoft Private SploitPack !!

StampEK/SofosFO == GrandSoft! Read More ›

2013-08-25 › Prism themed ransomware - Kovter evolution

Kovter using a Prism theme Read More ›

2013-08-15 › CVE-2013-2465/CVE-2013-2471/CVE-2013-2463 integrating Exploit Kits -- jre7u21 CVE- jre6u45 and earlier

Two days after disclosure, CVE-2013-2465 is starting to be integrated in Exploit Kits. Read More ›

2013-08-01 › Cbeplay.P History - increased activity fuelled by a Youtube Malvertising - Voice from Google Translate

Huge malvertising on Youtube spreading Cbeplay. A look at its distribution history Read More ›

2013-07-28 › Urausy Ransomware - July 2013 Design Refresh - "Summer 2013 Collection"

Urausy, the Ransomware spread by BestAV Affiliate, is showing new clothes since middle of july 2013 Read More ›

2013-07-05 › "Private Exploit Pack" - new BEP featuring CVE-2013-1347

Since end of may “imposition” is advertising on underground forum a new browser exploit pack that come with name “Private Exploit Pack”. Read More ›

2013-07-01 › A "Styxy" Cool EK !

Since 10 days a new Exploit-Kit appeared. Pushing reveton, many IP, same kind of domain name than THE Cool EK. Read More ›

2013-06-29 › Blackhole Exploit Kit goes 2.1.0, shows new URL Patterns

Версия 2.1.0 advertised underground and appearing in the wild Read More ›

2013-06-01 › Silence Exploit Kit new brows.....oh wait !

A “new” Exploit Kit is advertised since one month underground. Read More ›

2013-05-29 › The missing link - Some lights on "Urausy" affiliate

A look at the Urausy Affiliate Read More ›

2013-05-21 › Unveiling the Locker Bomba (aka Lucky Locker v0.6 aka Lyposit/Adneukine )

On the 10th of may was advertised on underground forum by bomba_service a new Ransomware in Affiliate mode. Read More ›

2013-05-19 › Inside Styx Sploitpack 4.0 - Exploit Kit Control Panel

A look inside Styx 4.0 Read More ›

2013-05-07 › Inside RDPxTerm (panel 5.1 - bot 4.4.2) aka Neshta C&C - Botnet control panel

Advertised on underground forum since 2013-03-27 by “ReV” Read More ›

2013-04-23 › CVE-2013-2423 integrating Exploit Kits

One week after Patch Java7u21 the vulnerability is being exploited in mass blind attack. Read More ›

2013-04-21 › Meet Safe Pack (v2.0)... Again :)

A “new” pack is advertised on underground. Thanks Kahu Security for locating and providing initial image of the advert. Read More ›

2013-04-06 › Urausy Ransomware - Arab world targeted

Urausy is now targeting Middle East with cashU as payment system. Read More ›

2013-04-02 › Reveton "Spring Collection" is ... disappointing - New countries Targeted

The big news is in fact that South America is now a potential target for Cool EK and Reveton Read More ›

2013-03-29 › Ransomware - Kovter : looking at your browsing history for more credibility

A new ransomware appeared: Kovter Read More ›

2013-03-09 › CVE-2013-1493 (jre17u15 - jre16u41) integrating Exploit Kits

That was fast (4 days after patch). After CVE-2013-0634 (flash), it's now CVE-2013-1493 that reaches Cool Exploit Kit Read More ›

2013-03-07 › Hello Neutrino ! (just one more Exploit Kit)

A new exploit kit is being advertised since yesterday on underground forum : Neutrino. Read More ›

2013-03-06 › CVE-2013-0634 (Adobe Flash Player) integrating Exploit Kits

After being reported by Eric Romang on Gong Da Exploit Pack, it's now part of the Cool Exploit kit owned by a group pushing Reveton. Read More ›

2013-02-23 › Popads add Social Engineering : Self-Generated fake cert on jar applet

I first thought it was a 0day Read More ›

2013-02-21 › CBeplay.P : Now target Australia and moved to server side localization

The VMaware CBeplay.P is moving. Read More ›

2013-02-20 › CVE-2013-0431 (java 1.7 update 11) ermerging in Exploit Kits

Soon after Oracle released Java 7 Update 11, fixing exploit widely used (CVE-2013-0422), Adam Gowdiak warned on Full Disclosure about successful security sandbox bypass via a bug in MBeanInstantiator. Read More ›

2013-02-18 › Reveton: Winter Collection II - Design refresh, ICE and EC3 logo

One week ago Urausy refreshed their design. So is doing Reveton team with lighter ones. Read More ›

2013-02-09 › Urausy: Colorfull design refresh (+HR) & EC3 Logo

First spotted by Tachion and soon after seen by Malekal, Urausy is now showing its new clothes. Read More ›

2013-02-08 › Cbeplay.P targets US and AT, now talks to UK Citizens

The second group to have subscribe for Cool EK is pushing a ransomware dubbed by Microsoft: CBeplay.P Read More ›

2013-02-07 › Inside Multi-Botnet ver.4 c&c Panel

On the 25-01-2013 FretLine announced a new version of his Multi Locker Read More ›

2013-02-04 › Briefly wave WhiteHole Exploit Kit hello...

After Nice Pack, Cool EK, Blackhole, Red Dot, Sweet Orange... Anyone, show me where is the Exploit Kit name generator. Read More ›

2013-01-26 › New bullets (CVE-2012-0775 - CVE-2012-1889 - CVE-2012-1876(?) - CVE-2012-4792) in "Cool EK" Weapon

Once again guys behind the Cool EK are using (or trying to use) bullets never seen before in blind mass attack. Read More ›

2013-01-20 › Meet "Red Dot exploit toolkit"

A new Exploit-Kit advertised since Dec 21, 2012 on underground forum by user reddot Read More ›

2013-01-10 › 0 day 1.7u10 (CVE-2013-0422) spotted in the Wild - Disable Java Plugin NOW !

Cool EK using a 0day in the wild Read More ›

2012-12-28 › Juice the Sweet Orange - 2012-12

Sweet Orange landings have changed around the 15th of December. Read More ›

2012-12-22 › Crossing the Styx ( Styx Sploit Pack 2.0 ) - Meet CVE-2012-4969 via JS heapspray

No need to go on underground forum to find Styx Sploit Pack. The Styx-Crypt guys are selling their services publicly. Read More ›

2012-12-21 › Reveton - Winter Collection

Winter is coming, so is Reveton's Winter Collection. Read More ›

2012-12-18 › Big update for Cool EK

Cool EK is mutating Read More ›

2012-12-13 › Inside Impact Exploit Kit - back on track(?)

A look at Impact EK Read More ›

2012-12-12 › Carberp, the renaissance (?)

Two days ago an advert for Carberp appeared underground. Read More ›

2012-12-05 › The path to infection - Eye glance at the first line of "Russian Underground" - focused on Ransomware

One year since I started “active” actions in understanding what is on the other side of malware/mass infection campaign. Will share in one picture how i figure things. Read More ›

2012-11-29 › Inside view of Lyposit aka (for its friends) Lucky LOCKER

The Lyposit Ransomware appeared wild in second week of September 2012. Read More ›

2012-11-27 › Meet ProPack Exploit Pack - yes that's a lot of pack

ProPack, a new Exploit-Kit on the market Read More ›

2012-11-24 › Upas Kit (aka Rombrast) integrates webinjects

Upas ads Webinjects to its arsenal. Read More ›

2012-11-23 › Reveton can speak now !

After Silence Winlocker integrating sound, now Reveton will also speak to you Read More ›

2012-11-22 › Multi Locker (+updated ver.3) - Brief History and Inside view

There are many “locker kit” available in the underground. Most active seems to be Silence WinLocker, ZOIE and a new comer fast updating: Multi Locker Read More ›

2012-11-17 › CVE-2012-5076 - Massively adopted - Blackhole update to 2.0.1

CVE-2012-5076 is being adopted in a massive and fast way. Read More ›

2012-11-12 › Meet CritXPack (Previously Vintage Pack)

It was named Vintage Pack. Read More ›

2012-11-09 › Cool EK : “Hello my friend...” CVE-2012-5076

Cool Exploit-Kit integrated a new exploit: CVE-2012-5076 Read More ›

2012-10-29 › Reveton += HU, LV, SK, SI, TR (!), RO - So spreading accross Europe with 6 new Design

The guys behind the Reveton “Police Ransomware” are really active. Read More ›

2012-10-18 › Stamp EK (aka SofosFO) now showing "Blackhole 2.0 Like" landing pages

Stamp EK (now identified as GrandSoft) is showing new landing pattern Read More ›

2012-10-12 › Reveton Autumn Collection += AU,CZ, IE, NO & 17 new design

Reveton dressing from its C&C with a new “Autumn Collection” and is targeting at least 4 new countries : AU,CZ, IE & NO Read More ›

2012-10-09 › Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop

Sudying the reverse proxies from Reveton's Team blackhole, a new Exploit-Kit was found. Read More ›

2012-10-04 › Update to Citadel : 1.3.5.1 Rain Edition.

A new version of Citadel has been announced : 1.3.5.1 Rain Edition. Read More ›

2012-09-27 › Redkit : No more money ! Traffic US, CA, GB, AU

You can't pay with money anymore for this “Exploit Kit as a Service”. Read More ›

2012-09-23 › Behind the Captcha or Inside Blackhole Exploit Kit 2.0 - Exploit Kit Administration Panel

A look inside Blackhole Exploit Kit 2.0 Read More ›

2012-09-22 › Urausy has big plan for Europe - Targeting 3 new countries among which Norway!

Urausy is now showing dedicated clothes to 3 new countries: GR, DK, and NO. Read More ›

2012-09-20 › From Sakura to Reveton via Smoke Bot - Or a Botnet Distribution of Reveton

Reveton as a 2nd stage from Smokebot Read More ›

2012-09-19 › Ransomware Casier - Sharing Design with Lyposit - Gaelic & Persian (?)

The Ransomware Casier has new clothes and it looks like the way affiliates are managed has changed too. Read More ›

2012-09-15 › Urausy improving its localization - A (the?) Gaelic Ransomware with Interpol impersonation as default landing

Urausy first appear at the end of July. It was just another Reveton “Me too”. Read More ›

2012-09-14 › 1940 IPs for a BHEK/ULocker server - Nexcess-Net

We all remember the hack of Cryptome.org back in February 13th 2012, redirecting 2900 visitors to a “/Home/” Blackhole Exploit kit. Read More ›

2012-09-13 › Fast look at an infection by a Blackhole Exploit Kit 2.0

Checking pattern from Blackhole Exploit Kit 2.0 Read More ›

2012-09-12 › Blackhole Exploit Kits update to v2.0

BlackHole exploit Kit 2.0 advert appeared underground. Read More ›

2012-08-30 › CVE-2012-4681 - Redkit Exploit Kit - I want Porche Turbo

Not making the headlines but yet effective, the Redkit Exploit Kit has also integrated the last Vulnerability from java. Read More ›

2012-08-30 › CVE-2012-4681 - Связка Sweet Orange

Sweet-Orange integrating last java exploit Read More ›

2012-08-29 › CVE-2012-4681 - On its way to Sakura Exploit Kit too

Sakura integrates the last java exploit. Read More ›

2012-08-28 › Java 0day ( CVE-2012-4681) Update available for Blackhole Exploit Kit owner

According to a post of Paunch, the Blackhole creator, the actual java 0 day (CVE-2012-4681) is available for Blackhole owner since yesterday evening. Read More ›

2012-08-18 › Ransom.II - UGC payment for USA - Windows Genuine impersonation for DE

Ransom.II introduced new designs two days ago for DE and USA. Read More ›

2012-08-16 › Inside Upas Kit (1.0.1.1) aka Rombrast C&C - Botnet Control Panel

In middle of june a new botnet was advertised on underground forum as Upas Kit. Bot is recognized by Microsoft in Win32/Rombrast familly Read More ›

2012-08-11 › Lost in design - Tobfy

The Ransomware Tobfy is back in town. After an attempt to create a new design targeting many countries, the project seems to have been canceled. Read More ›

2012-07-31 › Update to Blackhole Exploit Kits: v1.2.5

вышла версия 1.2.5 Read More ›

2012-07-29 › Inside Citadel 1.3.4.5 C&C & Builder - Botnet Control Panel

First look at a Citadel Panel Read More ›

2012-07-22 › Inside Blackhole Exploits Kit v1.2.4 - Exploit Kit Control Panel

A look at the BHEK v1.2.4 Panel Read More ›

2012-07-21 › Gimemo finally targeting USA with Camera Feature too

Two moves for Gimemo : - Camera Feature (as : Reveton and Tobfy)and USA targeted Read More ›

2012-07-05 › CVE-2012-1723 on BH EK

Bot recognized by Microsoft as : Worm:Win32/Gamarue Read More ›

2012-06-27 › Inside Pony 1.7 / Fareit C&C - Botnet Control Panel

First look instide the Pony Stealer Panel Read More ›

2012-06-22 › Redkit - one account = one color

There is brain behind the Redkit Exploit Kit. Read More ›

2012-06-20 › Ransomware : Keep smiling ! You're on camera...again - Tobfy new landings

Following Reveton's move, it's now Tobfy which is including Camera feature (Flash Plugin)...and a default landing page trying to mimic Interpol. Read More ›

2012-06-14 › Ransomware : Smile you're on camera - Reveton.C new landing pages

Reveton is since few days being spread in a new version tagged by Microsoft as revision C. To be more persuasive in the ransom process there is now a “video recording : On” feature. Read More ›

2012-06-11 › Update to Citadel : v.1.3.4.5

A new version of Citadel has been announced : v1.3.4.5 “Summer Edition” Read More ›

2012-05-16 › Gimemo wants to play in the big league

Gimemo is adding seven geo-differentiated designs Read More ›

2012-05-08 › #Redkit not so red anymore - Adaptation in action

A look inside RedKit Read More ›

2012-04-28 › Inside Smoke Bot - Botnet Control Panel

A look inside Smoke Bot Read More ›

2012-04-28 › Update to Citadel : v1.3.4.0

A new version of Citadel has been announced : v1.3.4.0 Read More ›

2012-04-14 › Inside Phoenix Exploit's Kit 3.1 - Exploit Kit Control Panel

A look inside Phoenix Exploit Kit Read More ›