Angler is an exploit kit, also referred to in the content as Angler/Axpergle, used to automate exploitation of browser and browser-plugin vulnerabilities. The content states it was commonly delivered through malvertising campaigns and malicious advertisements on legitimate websites, including campaigns observed by Proofpoint in which abused ad agencies and domain-shadowed subdomains redirected victims to Angler. It targeted vulnerabilities in browsers and plugins such as Adobe Flash, and the content describes Angler as having industrialized browser exploitation at scale and as part of the broader commercialization of exploit kits as a subscription model in the early 2010s.
Observed delivery and behavior in the provided content include malicious ads that redirected targeted users through filtering logic, SSL-protected infrastructure, and an HTTPS open redirect in DoubleClick before landing on Angler without a referrer. The campaign used victim profiling and anti-analysis techniques, including two Microsoft Internet Explorer information disclosure bugs, checks for certain security products, and MimeType checks for shell associations such as .py, .pcap, and .saz. The content also states that Angler implemented encrypted exploit delivery via Diffie-Hellman key exchange to evade exploit-detection appliances. In replayed attacks, fileless Angler activity loaded Bedep directly into memory.
Associated payload delivery described in the content includes Bedep build 1926 delivering fileless Ursnif, Ramnit, Blowcrypt, Vawtrak, and Reactor Bot during November 2015. The content also links Angler to the AdGholas malvertising ecosystem, noting that AdGholas operators initially used Angler and Neutrino before later shifting to Stegano/Astrum. Angler is mentioned alongside other common exploit kits such as Nuclear and Neutrino.
High-confidence indicators directly mentioned in the content include shadowed domains and related infrastructure used in Angler delivery campaigns: ads.mikeholt[.]com resolving to 209.126.110.7; adv.mtcharlestonlodge[.]com resolving to 209.126.118.13; media.healthy-homemakers[.]com resolving to 209.126.118.11; promo.loopnetworksllc[.]com resolving to 209.126.118.18; delivery.dpis[.]com resolving to 209.126.118.18; promo.socialmagnetmarketing[.]com resolving to 209.126.118.14; alutqlyzoxglge7s[.]com at 95.211.205.229 identified as a Bedep domain; zwietrzyla1morinaga.efloridacoupons[.]com at 8.26.21.113 identified as an Angler EK domain; and associated payload/C2 infrastructure including ninthclub[.]com at 81.177.22.179, atlasbeta[.]com at 176.9.188.147, browneyandrebun[.]net at 107.170.83.113, and cloud75[.]eu at 51.255.59.117.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
...six zero-day vulnerabilities (... CVE-2015-5119, CVE-2015-5122 and CVE-2015-5123 for Adobe Flash; ...) ... being released into the wild.
...six zero-day vulnerabilities (... CVE-2015-5122 ... for Adobe Flash; ...) being released into the wild.
...six zero-day vulnerabilities (... CVE-2015-5123 for Adobe Flash; ...) being released into the wild.
...six zero-day vulnerabilities (... CVE-2015-2425 for Internet Explorer) ... being released into the wild.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Initially, the gang behind AdGholas had been using the Angler and Neutrino exploit kits.
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Les exploits et les kits d'exploitation s'appuient généralement sur des sites Web malveillants ou des pièces jointes de courrier électronique pour pénétrer un réseau ou un appareil, mais ils se cachent parfois également dans des publicités sur des sites Web légitimes.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An exploit kit delivered via malvertising that scans browsers and browser plugins for vulnerabilities and exploits them to infect users.
Exploit kit used by cybercriminals to find and exploit known software vulnerabilities in order to deploy malware quickly and efficiently.
An exploit kit noted for industrializing browser exploitation at scale.
An exploit kit referenced as part of the evolution of exploit-as-a-service models that packaged and sold exploitation capabilities.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.