• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Healthcare Services Group discloses 2024 data breach that impacted 624,496 people

 | 

ESET warns of PromptLock, the first AI-driven ransomware

 | 

China linked Silk Typhoon targeted diplomats by hijacking web traffic

 | 

Farmers Insurance discloses a data breach impacting 1.1M customers

 | 

Citrix fixed three NetScaler flaws, one of them actively exploited in the wild

 | 

Auchan discloses data breach: data of hundreds of thousands of customers exposed

 | 

U.S. CISA adds Citrix Session Recording, and Git flaws to its Known Exploited Vulnerabilities catalog

 | 

Docker fixes critical Desktop flaw allowing container escapes

 | 

Malicious apps with +19M installs removed from Google Play because spreading Anatsa banking trojan and other malware

 | 

Pakistan-linked APT36 abuses Linux .desktop files to drop custom malware in new campaign

 | 

Android.Backdoor.916.origin malware targets Russian business executives

 | 

Electronics manufacturer Data I/O took offline operational systems following a ransomware attack

 | 

IoT under siege: The return of the Mirai-based Gayfemboy Botnet

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 59

 | 

Security Affairs newsletter Round 538 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Kidney dialysis firm DaVita confirms ransomware attack compromised data of 2.7M people

 | 

China-linked Silk Typhoon APT targets North America

 | 

Over 300 entities hit by a variant of Atomic macOS Stealer in recent campaign

 | 

Operation Serengeti 2.0: INTERPOL nabs 1,209 cybercriminals in Africa, seizes $97M

 | 

After SharePoint attacks, Microsoft stops sharing PoC exploit code with China

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Exploit kit traffic drops by 96% since April, what is happening?

Exploit kit traffic drops by 96% since April, what is happening?

Pierluigi Paganini June 21, 2016

The exploit kit landscape is rapidly changing,the Angler and Nuclear EK disappeared and overall malicious traffic drops by 96% since April.

As highlighted by security experts the threat landscape is in continuous evolution, despite the criminal underground was monopolized by Angler and Nuclear exploit kits for several years other EKs represent a serious threat to online users.

Malicious traffic related to Neutrino and RIG EKs demonstrates the high interest in these crime kits of malware authors. The interesting data that emerges from the observation of exploit kit traffic is its drastic fall, around 96% since early April.

What is happening?

The Necurs botnet, one of the world’s largest malicious architecture used to spread the dreaded threats like Dridex and Locky appears to have vanished since June 1.

The Angler and Nuclear exploit kits seem to be disappeared too, likely due to the hits of the law enforcement to the malware industry. Do not rejoice, I believe that this transitionary moment in which the principal criminal rings are searching for new structures.

The Nuclear EK, the oldest EK in the wild, was observed for the last time at the end of April, but security experts have no specific information regarding the suspension of its activities.

In April 2015, the experts from Check Point published an interesting report on the Nuclear EK and the infrastructure used by its operators, a money machine that was operated by a group of Russian developers led by an individual in Krasnodar, Russia.

What about the Nuclear EK?

According to the experts from Symantec, there is no evidence of the Nuclear’s activity since the first week of May.

“Angler’s disappearance has also prompted a falloff in activity in CryptXXX ransomware (Trojan.Cryptolocker.AN). Angler was one of the main delivery channels for CryptXXX.” reported the analysis published by Symantec. “Angler is not the only exploit kit to recently depart the scene. The well-known Nuclear exploit kit became inactive from the beginning of May. Since this occurred one month earlier, it is unclear if there is any connection with more recent developments.”

Nuclear EK activity Symantec

 

What’s interesting to note, however, is that a graph published by Proofpoint late last week suggests that Nuclear was still active during the second half of May.

The Angler’s disappearance might be caused by law enforcement activities, including the recent 50 arrests in Russia that were linked to the operations of the Lurk malware.

We read about Angler since June, the most recent news is related to the inclusion of the recent Flash zero-days and improvement of evasion techniques.

According to the experts from Proofpoint, the disappearance of Angler and Nuclear EKs, pushed the adoption of the Neutrino and RIG exploit kits.

“Interestingly, the shift to Neutrino was well underway by the time it was first reported, with Angler traffic dropping off dramatically as early as mid-May, and Nuclear EK affected as well. Angler and Nuclear EK activity has dropped to almost nothing as threat actors moved to instances of the Neutrino exploit kit. Shifting from one exploit kit to another is nothing new and threat actors may even use more than one regularly. However, with the exception of a brief break in January [8], Angler has dominated the EK market for some time, as we explained in the  Threat Summary for January-March,” states the report published by ProofPoint.

exploit kit trends

 

“By our estimates, Neutrino dropping CryptXXX account for as much as 75% of observed exploit kit traffic, and another 10% combined from Neutrino and Magnitude dropping Cerber ransomware. Most of the remaining 15% of EK traffic is RIG dropping a variety of payloads (banking Trojan, info stealers, loaders) on lower-value malvertising traffic, with various smaller EKs such as Sundown, Kaixin, Hunter and others making up the last 1% of total observed EK traffic,” continues Proofpoint.

Experts from Kaspersky Lab confirmed the above trends highlighting that criminal groups switched to Neutrino and RIG exploit kits.

What will happen in the future?

It is very difficult to say, anyway, cyber criminals have only changed their weapons but they will continue undeterred their illegal activities.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

Security Affairs – (Exploit Kit, Angler EK, Nuclear EK)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Angler EK exploit kit malware cybercrime Nuclear EK Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini August 27, 2025
Healthcare Services Group discloses 2024 data breach that impacted 624,496 people
Read more
Pierluigi Paganini August 27, 2025
ESET warns of PromptLock, the first AI-driven ransomware
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Healthcare Services Group discloses 2024 data breach that impacted 624,496 people

    Data Breach / August 27, 2025

    ESET warns of PromptLock, the first AI-driven ransomware

    Malware / August 27, 2025

    China linked Silk Typhoon targeted diplomats by hijacking web traffic

    Security / August 27, 2025

    Farmers Insurance discloses a data breach impacting 1.1M customers

    Data Breach / August 26, 2025

    Citrix fixed three NetScaler flaws, one of them actively exploited in the wild

    Hacking / August 26, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT