ReferencesAuthors

Kafeine

 @kafeine

  • Inside RedKit Exploit Kit - Exploit Kit Customer Control Panel - 2012-05-25 - MDNC - Kafeine Redkit
  • CVE-2012-4681 - Связка Sweet Orange - 2012-08-30 - MDNC - Kafeine Sweet Orange
  • Cool Exploit Kit - A new Browser Exploit Pack on the Battlefield with a "Duqu" like font drop - 2012-10-09 - MDNC - Kafeine Cool
  • Stamp EK (aka SofosFO) now showing "Blackhole 2.0 Like" landing pages - 2012-10-18 - MDNC - Kafeine GrandSoft
  • Meet CritXPack (Previously Vintage Pack) - 2012-11-12 - MDNC - Kafeine FlashPack CVE-2011-3544
  • CVE-2012-5076 - Massively adopted - Blackhole update to 2.0.1 - 2012-11-17 - MDNC - Kafeine CVE-2012-5076 BlackHole Sweet Orange Sakura Redkit
  • Inside Impact Exploit Kit - back on track(?) - 2012-12-13 - MDNC - Kafeine Impact Sakura CVE-2012-5076
  • Crossing the Styx ( Styx Sploit Pack 2.0 ) - 2012-12-22 - MDNC - Kafeine Styx CVE-2011-3544
  • Juice the Sweet Orange - 2012-12-28 - MDNC - Kafeine Sweet Orange CVE-2012-5076
  • Hello Neutrino ! (just one more Exploit Kit) - 2013-03-07 - MDNC - Kafeine Neutrino
  • Ransomware - Kovter : looking at your browsing history for more credibility - 2013-03-29 - MDNC - Kafeine Kovter
  • Meet Safe Pack (v2.0)... Again :) - 2013-04-21 - MDNC - Kafeine FlashPack
  • Inside Styx Sploitpack 4.0 - Exploit Kit Control Panel - 2013-05-19 - MDNC - Kafeine Styx
  • A "Styxy" Cool EK ! - 2013-07-01 - MDNC - Kafeine Cool Styx
  • "Private Exploit Pack" - new BEP featuring CVE-2013-1347 - 2013-07-05 - MDNC - Kafeine Private Exploit Pack CVE-2011-3544
  • Prism themed ransomware - Kovter evolution - 2013-08-25 - MDNC - Kafeine Kovter
  • Finally ! Here is ... GrandSoft Private SploitPack !! - 2013-09-09 - MDNC - Kafeine GrandSoft CVE-2011-3544
  • HiMan Exploit Kit. Say Hi to one more. - 2013-10-02 - MDNC - Kafeine Himan CVE-2011-3544
  • Meet Madness Pro or Few days rise of a Ddos Botnet - 2013-10-14 - MDNC - Kafeine Madness Cool
  • Kovter becomes even more abominable . Also add new targets. - 2013-10-21 - MDNC - Kafeine Kovter
  • Magnitude EK : Pop Pop ! - 2013-10-26 - MDNC - Kafeine Magnitude
  • And real name of Magnitude is.... - 2014-02-06 - MDNC - Kafeine Magnitude
  • BlackHat-TDS (v1.4) - 2014-04-27 - MDNC - Kafeine BlackHat TDS
  • Meet Niteris EK (formerly known as CottonCastle) - 2014-06-09 - MDNC - Kafeine Niteris Buhtrap
  • Say Hello to Astrum EK - 2014-09-14 - MDNC - Kafeine Astrum
  • CVE-2014-0569 (Flash Player) integrating Exploit Kit - 2014-10-21 - MDNC - Kafeine CVE-2014-0569 Chthonic Fiesta Angler Astrum Sweet Orange FlashPack RIG Magnitude KovCoreG Kovter
  • Neutrino : The come back ! (or Job314 the Alter EK) - 2014-11-21 - MDNC - Kafeine Neutrino CVE-2014-6332 CVE-2014-0569 Necurs
  • CVE-2015-0310 (Flash 15.0.0.242 and below) integrating Exploit Kits - 2015-01-16 - MDNC - Kafeine CVE-2015-0310 Angler
  • Illustration : @engageBDR feeds Hanjuan which deploys bedep via CVE-2015-0313 cc @TrendLabs @Malwarebytes - 2015-02-03 - Twitter - Kafeine CVE-2015-0313 Hanjuan
  • Another look at Niteris : post exploitation WMI and Fiddler checks - 2015-05-12 - MDNC - Kafeine Niteris Nuclear CVE-2014-0569 CVE-2014-6332
  • An Exploit Kit dedicated to CSRF Pharming - 2015-05-22 - MDNC - Kafeine DNSChanger
  • Fast look at Sundown EK - 2015-06-08 - MDNC - Kafeine Sundown CVE-2014-6332 CVE-2014-0569 CVE-2015-0313
  • A fileless Ursnif doing some POS focused reco - 2015-07-05 - MDNC - Kafeine RecoLoad Angler
  • Shifu <3 Great Britain - 2015-09-24 - MDNC - Kafeine Shifu VirtualDonna Angler
  • A DoubleClick https open redirect used in some malvertising chain - 2015-10-15 - MDNC - Kafeine VirtualDonna Angler
  • Inside Jahoo (Otlard.A ?) - A spam Botnet - 2015-11-28 - MDNC - Kafeine Otlard VirtualDonna Angler Nuclear ProxyBack Ramnit
  • The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK - 2015-12-15 - Proofpoint - Kafeine GooNky Angler CVE-2016-3351
  • XXX is Angler EK - 2015-12-21 - MDNC - Kafeine Angler Lurk Cool
  • Killing a Zero-Day in the Egg: Adobe CVE-2016-1019 - 2016-04-07 - Proofpoint - Kafeine CVE-2016-1019 Nuclear Magnitude
  • CVE-2016-1019 (Flash up to 21.0.0.182/187) and Exploit Kits - 2016-04-08 - MDNC - Kafeine CVE-2016-1019 Nuclear Magnitude Cerber Neutrino
  • CryptXXX: New Ransomware From the Actors Behind Reveton, Dropping Via Angler - 2016-04-18 - Proofpoint - Kafeine CryptXXX Angler Dridex
  • A fiddler of that https Kovter SocEng Kit (pw: malware) - 2016-05-10 - Twitter - Kafeine KovCoreG Kovter
  • Is it the End of Angler ? - 2016-06-11 - MDNC - Kafeine Angler Lurk Nuclear SadClowns GooNky EITest WordsJS ScriptJS
  • Massive AdGholas Malvertising Campaigns Use Steganography and File Whitelisting to Hide in Plain Sight - 2016-07-28 - Proofpoint - Kafeine AdGholas Angler
  • Microsoft Patches CVE-2016-3351 Zero-Day, Exploited By AdGholas and GooNky Malvertising Groups - 2016-09-13 - Proofpoint - Kafeine CVE-2016-3351 GooNky AdGholas Angler Astrum
  • Peas in a pod: Microsoft patches CVE-2016-3298, a second information disclosure zero-day used in malvertising campaigns and the Neutrino Exploit Kit - 2016-10-11 - Proofpoint - Kafeine CVE-2016-3298 GooNky AdGholas CVE-2016-3351
  • RIG evolves, Neutrino waves goodbye, Empire Pack appears - 2016-10-22 - MDNC - Kafeine RIG Empire Neutrino Angler Nuclear Sutra BlackHole
  • Microsoft Word Intruder 8 Adds Support for Flash Vulnerability CVE-2016-4117 - 2016-11-07 - Proofpoint - Matthew Mesa - Kafeine MWI CVE-2016-4117
  • Home Routers Under Attack via Malvertising on Windows, Android Devices - 2016-12-13 - Proofpoint - Kafeine DNSChanger
  • EITest Nabbing Chrome Users with a “Chrome Font” Social Engineering Scheme - 2017-01-17 - Proofpoint - Kafeine EITest Fleercivet
  • Bye Empire, Hello Nebula Exploit Kit. - 2017-03-02 - MDNC - Kafeine Empire Nebula GamiNook Pitou Gootkit CVE-2014-6332 CVE-2015-7645 CVE-2016-4117
  • Astrum (aka Stegano) EK has integrated CVE-2017-0022 (infoleak) for filtering in its landing - 2017-03-25 - Twitter - Kafeine CVE-2017-0022 Astrum
  • AdGholas Malvertising Campaign Using Astrum EK to Deliver Mole Ransomware - 2017-06-20 - Proofpoint - Kafeine AdGholas Astrum Mole
  • Kovter Group malvertising campaign exposes millions to potential malware and fraud - 2017-10-07 - Proofpoint - Kafeine - Proofpoint Staff KovCoreG Kovter
  • APT28 racing to exploit CVE-2017-11292 Flash vulnerability before patches are deployed - 2017-10-19 - Proofpoint - Kafeine - Pierre T CVE-2017-11292 DealersChoice
  • Threat Actor Profile: KovCoreG, The Kovter Saga - 2017-11-01 - Proofpoint - Kafeine Kovter KovCoreG Angler Sweet Orange Nuclear Sakura BlackHole Neutrino Fiesta Styx EITest
  • CVE-2018-4878 (Flash Player up to 28.0.0.137) and Exploit Kits - 2018-03-09 - MDNC - Kafeine CVE-2018-4878 WordsJS GreenFlash Sundown Magnitude RIG Fallout Hermes
  • Drive-by as a service: BlackTDS - 2018-03-13 - Proofpoint - Kafeine BlackTDS bbsindex TA505
  • Sandiflux: Another Fast Flux infrastructure used in malware distribution emerges - 2018-03-30 - Proofpoint - Kafeine TA547 GandCrab TA544 TA505
  • EITest: Sinkholing the oldest infection chain - 2018-04-12 - Proofpoint - Kafeine EITest Glazunov Angler Gootkit Cerber CryptXXX Smokebot
  • Hello, internal name of this loader is sLoad. Appeared May 1st. Payload is the UK focused Ramnit ( fB1oN5frGqf ) - 2018-05-19 - Twitter - Kafeine sLoad Ramnit TA554
  • CVE-2018-8174 (VBScript Engine) and Exploit Kits - 2018-05-25 - MDNC - Kafeine CVE-2018-8174 RIG Magnitude GrandSoft Fallout Kaixin Hunter GreenFlash Sundown Smokebot
  • CVE-2018-15982 (Flash Player up to 31.0.0.153) and Exploit Kits - 2019-01-16 - MDNC - Kafeine CVE-2018-15982 Fallout Underminer Spelevo GreenFlash Sundown
  • Fallout += https and CVE-2018-15982 - 2019-01-16 - Twitter - Kafeine CVE-2018-15982 Fallout Bikarys
  • It looks like there is a new EK in town (CVE-2018-15982 inside). See 85.17.197[.101. I first thought about GrandSoft but that's not it. Reminds SPL EK (an evolution?). Going for "Spelevo" as name. cc thx @jspchc @EKwatcher @ring_lcy - 2019-03-07 - Twitter - Kafeine Spelevo CVE-2018-15982
  • BrushaLoader still sweeping up victims one year later - 2019-07-22 - Proofpoint - Kafeine - Proofpoint Staff BrushaLoader Danabot Gootkit TA544
  • SystemBC is like Christmas in July for SOCKS5 Malware and Exploit Kits - 2019-08-01 - Proofpoint - Kade Karmon - Kafeine - Dennis Schwarz - Proofpoint Staff SystemBC Fallout RIG Danabot PowerEnum
  • TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader - 2019-10-16 - Proofpoint - Dennis Schwarz - Kafeine - Matthew Mesa - Axel F - Proofpoint Staff Get2 TA505 SDBbot FlawedGrace FlawedAmmyy Snatch ServHelper
  • For the records, sLoad is still dropping Ramnit "fB1oN5frGqf" in Italy. - 2019-11-07 - Twitter - Kafeine sLoad Ramnit TA554
  • Buer, a new loader emerges in the underground marketplace - 2019-12-04 - Proofpoint - Kelsey Merriman - Dennis Schwarz - Kafeine - Axel F - Proofpoint Staff Buer Ostap Trickbot Fallout
  • Note:TA505 != Dridex. They were massively spreading it, [...] but also Locky 3, Trickbot mac1 - 2019-12-05 - Twitter - Kafeine TA505 Dridex