Exploit Kit
Exploit kits or exploit packs refer to a type of hacking toolkit that cybercriminals use to take advantage of vulnerabilities in systems/devices so they can distribute malware or do other malicious activities. They normally target popular software such as AdobeFlash ®, Java™, Microsoft Silverlight® .
A typical exploit kit usually provides a management console, a bunch of vulnerabilities for different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.

Figure 1: Exploit kit infection chain
- Step 1: Contact
A n attacker convinces people to click the link to a site that serves an exploit kit often through spam and effective social engineering lures. - Step 2: Redirect
The exploit kit finds vulnerabilities in software installed on the systems/devices used to access the link. - Step 3: Exploit
An exploit that takes advantage of the vulnerability found is executed on the system/device. - Step 4: Infect
A payload (a piece of malware) is dropped and executed on the system/device.
The Exploit Kit-Ransomware Tandem
Exploit kits have proven efficient means to deliver all sorts of threats to vulnerable systems/devices. In 2015, then most active and popular exploit kit, Angler, started the wave of delivering ransomware to victims’ systems/devices.
Figure 2: Exploits included in specific kits in the first half of 2016
Angler: 1H 2016’s Most Notorious Exploit Kit
The Angler Exploit Kit accounted for 60% of the overall activity in 2015. It was used in a massive malvertising campaign that preyed on top-tier news, entertainment, and political commentary sites in March 2016, too.
Angler was constantly updated to include new exploits, including those that were part of the Hacking Team leak and used in Pawn Storm, until the arrest of 50 people accused of using it for malware distribution, allowing them to amass US$25 million.

Figure 4: Number of times exploit-kit-hosting URLs were accessed in the first half of 2016
Vulnerabilities Most Exploited by Exploits Integrated into Kits
Exploit kits typically integrate exploits for vulnerabilities in the most commonly used applications that many users leave unpatched. We identified five of the vulnerabilities most exploited by exploit kits from 2010 to the first half of 2016 below.
- CVE-2013-2551
Affected software: Microsoft Internet Explorer® 6–10
Description: A use-after-free vulnerability that lets attackers remotely execute arbitrary code via a specially crafted site that triggers access to a deleted object
Latest story: Windows 10 Sharpens Browser Security with Microsoft Edge
- CVE-2015-0311
Affected software: Adobe Flash Player 13.0.0.262, 14.x, 15.x, and 16.x–16.0.0.287 on Microsoft Windows® and 11.2.202.438 on Linux
Description: An Adobe Flash Player buffer overflow vulnerability that allows attackers to remotely execute arbitrary code via unknown vectors
Latest story: Exploit Kits in 2015: Flash Bugs, Compromised Sites, Malvertising Dominate
- CVE-2015-0359
Affected software: Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux
Description: An Adobe Flash Player memory corruption vulnerability that allows attackers to execute arbitrary code when the application is used; failed exploitation attempts likely result in denial of service (DoS)
Latest story: Exploit Kits in 2015: Flash Bugs, Compromised Sites, Malvertising Dominate
- CVE-2014-0515
Affected software: Adobe Flash Player before 11.7.700.279 and 11.8.x–13.0.x before 13.0.0.206 on Microsoft Windows and Mac® OS X® and before 11.2.202.356 on Linux
Description: An Adobe Flash Player buffer overflow vulnerability that occurs when parsing a compiled shader in a Flash object, which allows attackers to run some processes and run arbitrary shellcode
Latest story: Flash Greets 2015 with New Zero Day
- CVE-2014-0569
Affected software: Adobe Flash Player before 13.0.0.250 and 14.x and 15.x before 15.0.0.189 on Windows and before 11.2.202.411 on Linux
Description: An Adobe Flash Player remote integer overflow vulnerability that lets attackers execute arbitrary code via unspecified vectors
Latest story: Latest Microsoft Patch Prevents Browser History Snooping
Adobe Flash remains the most exploited software since 2010. Cybercriminals are clearly aware of the millions of developers that use it to create content for mobile and desktop consumption. Adobe Flash runs on more than 1 billion connected devices/systems to date.
Notable exploit-kit-related incidents
Exploit Kits Over Time
Exploit kits, the closest thing to a Swiss Army knife, remain a steadfast threat because of their track record. From fake antivirus to malvertisements and now ransomware, exploit kits have proven effective, enough to be constantly updated for more inventive and malicious uses.

Figure 5: Comparison of active and new exploit kits from 2006 to the first half of 2016
Active and new exploit kits
YEAR | EXISTING | NEWLY RELEASED |
2006 | Mpack | |
WebAttacker Kit | ||
2007 | MPack | Armitage Exploit Pack |
IcePack Exploit Kit | ||
NeoSploit Exploit Kit 1.0 | ||
Phoenix Exploit Kit | ||
Tornado Exploit Kit | ||
2008 | IcePack Exploit Kit | AdPack |
NeoSploit Exploit Kit 2.0/3.0 | Fiesta Exploit Kit | |
Phoenix Exploit Kit | FirePack Exploit Kit | |
Tornado Exploit Kit | ||
2009 | Phoenix Exploit Kit 2.0 | CrimePack 1.0 |
Tornado Exploit Kit | Eleonore Exploit Kit | |
Fragus Exploit Kit | ||
Just Exploit Kit | ||
Liberty Exploit Kit | ||
Lucky Sploit | ||
MyPoly Sploit | ||
Neon Exploit System | ||
Spack | ||
Siberia Exploit Pack | ||
Unique Sploits Exploit Pack | ||
Yes Exploit Kit 1.0/2.0 | ||
2010 | CrimePack 2.0/3.0 | Blackhole Exploit Kit 1.0 |
Eleonore Exploit Kit | Bleeding Life Exploit Kit 1.0/2.0 | |
Phoenix Exploit Kit 2.0 | Dragon Pack | |
Siberia Pack | Nuclear Exploit Kit 1.0 | |
Yes Exploit Kit 3.0 | Papka Exploit Pack | |
SEO Sploit Pack | ||
2011 | Blackhole Exploit Kit 1.1/1.2 | Best Pack |
Bleeding Life Exploit Kit 3.0 | G01Pack Exploit Kit | |
Eleonore Exploit Kit | Katrin Exploit Pack | |
NeoSploit Exploit Kit 4.0 | OpenSource Exploit Kit | |
Nuclear Exploit Kit 1.0 | Sava Exploit Kit | |
Phoenix Exploit Kit 2.0 | ||
SEO Sploit Pack | ||
Siberia Pack | ||
2012 | Blackhole Exploit Kit 2.0 | Alpha Pack |
G01Pack Exploit Kit | CK Exploit Kit | |
Hierarachy/Eleonore Exploit Kit | Cool Exploit Kit | |
NeoSploit Exploit Kit 4.0 | CrimeBoss Exploit Kit | |
Nuclear Exploit Kit 2.0 | CritXPack | |
Phoenix Exploit Kit 3.0 | GrandSoft Exploit Kit | |
Impact Exploit Kit | ||
KaiXin Exploit Pack | ||
Kein Exploit Pack | ||
NucSoft Exploit Pack | ||
ProPack | ||
RedKit Exploit Kit | ||
Sakura Exploit Kit | ||
Serenity Exploit Pack | ||
Sibhost/Glazunov Exploit Kit | ||
Styx Exploit Kit 2.0 | ||
SweetOrange Exploit Kit | ||
Techno Xpack | ||
Yang Pack | ||
ZhiZhu Exploit Kit | ||
2013 | Blackhole Exploit Kit 2.0 | Angler Exploit Kit |
CK Exploit Kit | Anonymous Exploit Kit | |
CrimeBoss Exploit Kit | DotkaChef Exploit Kit | |
Fiesta/NeoSploit Exploit Kit | GongDa Exploit Kit | |
FlackPack Exploit Kit | Hello/LightsOut Exploit Kit | |
G01Pack Exploit Kit | HiMan Exploit Kit | |
GrandSoft | Magnitude/PopAds Exploit Kit | |
Nuclear Exploit Kit 3.0 | Neutrino Exploit Kit | |
Phoenix Exploit Kit 3.0 | Private Exploit Pack | |
RedKit/Goon Exploit Kit | Red Dot Exploit Kit | |
Sakura Exploit Kit | Safe Pack | |
Sibhost/Glazunov Exploit Kit | WhiteHole Exploit Kit | |
Styx Exploit Kit | White Lotus Exploit Kit | |
SweetOrange Exploit Kit | Zuponcic Exploit Kit | |
2014 | Angler Exploit Kit | CottonCastle/Niteris Exploit Kit |
DotkaChef Exploit Kit | HanJuan Exploit Kit | |
Fiesta/NeoSploit Exploit Kit | Rig Exploit Kit | |
FlackPack Exploit Kit | ||
GongDa Exploit Kit | ||
Hello/LightsOut Exploit Kit | ||
RedKit/Infinity Exploit Kit | ||
Magnitude Exploit Kit | ||
Neutrino Exploit Kit | ||
Nuclear Exploit Kit 3.0 | ||
Styx Exploit Kit | ||
SweetOrange Exploit Kit | ||
Zuponcic Exploit Kit | ||
2015 | Angler Exploit Kit | Hunter Exploit Kit |
Fiesta/NeoSploit Exploit Kit | Sundown Exploit Kit | |
HanJuan Exploit Kit | ||
Magnitude Exploit Kit | ||
Neutrino Exploit Kit | ||
Nuclear Exploit Kit 3.0 | ||
Rig Exploit Kit | ||
SweetOrange Exploit Kit | ||
2016 | Angler Exploit Kit | |
Rig Exploit Kit | ||
Magnitude Exploit Kit | ||
Nuclear Exploit Kit | ||
Neutrino Exploit Kit | ||
Sundown Exploit Kit | ||
Hunter Exploit Kit |
Protect Your Organization from Exploit Kits
Shield your endpoints temporarily, until you can deploy patches, or indefinitely for out-of-support or unpatchable systems. We’ll help you prevent vulnerability exploitation (e.g., ransomware exploiting vulnerabilities) with easy- and fast-to-deploy intrusion prevention system (IPS) filters. So you get full protection until you can deploy vendor patches when it makes the most sense for your business. Vulnerability protection is part of the Trend Micro Smart Protection Suites.
Trend Micro™ Deep Security™, meanwhile, powers Trend Micro’s Hybrid Cloud Security solution, providing market-leading security capabilities for physical, virtual, and cloud servers from a single integrated platform.
Add to those TippingPoint Network Security Solutions that provide real-time network protection, visibility, and centralized management and analytics that are easy to use, configure, and install.
All of these solutions contribute to the interconnected, multilayered security defense strategy that Trend Micro provides to protect your users and their data from vulnerability exploitation, regardless of device or location.
To mitigate vulnerability exploitation, follow these best practices:
- Promptly patch all endpoints to block known exploits.
- Deploy a vulnerability shielding solution that proactively shields systems/devices from even unknown vulnerabilities via behavior monitoring.
- Update browsers and plug-ins to the latest versions and use a browser exploit prevention solution that secures against zero-day browser exploits.
Related papers
- Monitoring Vulnerabilities: Are your Servers Exploit-Proof?
- Virtual Patching in Mixed Environments: How It Works To Protect You
Related Infographics
- Shellshock Vulnerability: The Basics of the “Bash Bug”
- Stop threats dead in their tracks/Blackhole Exploit Kit
- Dodging a Compromise: A Peek at Exposure Gaps
- The Internet of Everything: Layers, Protocols and Possible Attacks