Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 11 CVEs

Sedkit

Sedkit is a custom exploit kit used exclusively by the Sednit threat group, also tracked as APT28, Fancy Bear, and Sofacy, to gain initial access in targeted espionage operations. Reporting describes it as one of Sednit’s three main initial attack methods alongside fake webmail credential-harvesting pages and malicious email attachments. Sedkit was used to deliver the first-stage malware Seduploader, which then performed reconnaissance, established persistence and outbound connectivity, and commonly fetched second-stage payloads such as Xagent or Sedreco. Sedkit was active by at least September 2014 and was later used in targeted email campaigns through 2016; the last observed campaign in the provided reporting was in October 2016, after which activity disappeared.

Operationally, Sedkit was first observed in a watering-hole style campaign in which legitimate websites, including sites belonging to a large financial institution in Poland, were modified with injected IFRAMEs that redirected visitors to exploit-kit infrastructure. Later campaigns relied mainly on spearphishing emails containing links that mimicked legitimate news sites such as Stratfor, Reuters, The Guardian, Huffington Post, BBC, and UNIAN. Sedkit landing pages fingerprinted victims by collecting browser properties, installed plugins, screen properties, and time zone information before deciding whether to serve an exploit. It redirected both exploited and non-selected visitors to legitimate websites to reduce suspicion. In observed chains, Sedkit targeted Internet Explorer and Adobe Flash; one report notes Chrome and Firefox test traffic being redirected to localhost and that Java targeting was not used in the observed chain.

The exploit kit was reported exploiting CVE-2013-1347, CVE-2013-3897, CVE-2014-1510, CVE-2014-1511, CVE-2014-1776, CVE-2014-6332, CVE-2015-2590, CVE-2015-3043, CVE-2015-4902, CVE-2015-5119, and CVE-2015-7645, and also abusing MacKeeper on OS X. ESET assessed that Sednit developed a custom exploit for CVE-2014-6332. In one 2014 observed chain, successful exploitation downloaded a loader named runrun.exe, which installed splm.dll, an Xagent-related payload with modules for execution management, keylogging, file access, and communications. Reported command-and-control domains for that payload included msonlinelive.com, windows-updater.com, and azureon-line.com. Additional infrastructure noted in the observed redirection chain included defenceiq.us, cntt.akcdndata.com, armypress.org, mfapress.org, mfapress.com, and caciltd.com, with several resolving to 76.73.47.90.

Sedkit was associated with Sednit’s long-running targeting of governments, embassies, ministries of foreign affairs, political parties, defense-related entities, and other geopolitical targets, with a particular focus on Eastern Europe and broader diplomatic targets. Reporting specifically notes campaigns against embassies and political parties in Central Europe and broader Sednit targeting of government and geopolitical organizations worldwide.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

11 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

11 CVES
CVE-2014-1776Use-after-free RCE in Microsoft Internet Explorer 6 through 11Exploited in the wild

The second main attack method of the Sednit group is an exploit kit, which we named Sedkit. | Table 3. Sedkit exploited vulnerabilities: CVE-2014-1776 Internet Explorer 11.

via eset welivesecurity blogwelivesecurity.com
CVE-2014-1510Mozilla WebIDL chrome-privileged JavaScript execution via window.openExploited in the wild

Table 3. Sedkit exploited vulnerabilities: CVE-2014-1510 / CVE-2014-1511 Firefox. | The second main attack method of the Sednit group is an exploit kit, which we named Sedkit.

via eset welivesecurity blogwelivesecurity.com
CVE-2015-5119Use-after-free RCE in Adobe Flash Player ByteArrayExploited in the wild

The second main attack method of the Sednit group is an exploit kit, which we named Sedkit. | Table 3. Sedkit exploited vulnerabilities: CVE-2015-5119 Adobe Flash. Revamped from Hacking Team leaked data.

via eset welivesecurity blogwelivesecurity.com
CVE-2014-6332Windows OLE Automation Array Remote Code Execution VulnerabilityExploited in the wild

The vulnerability CVE-2014-6332 was discovered in May 2014... Soon after the disclosure, a proof-of-concept was released... in October 2015 a simple revamped version of the original proof-of-concept was added to Sedkit. But the Sednit group went one step further in February 2016 by deploying a different exploit for this vulnerability. | The second main attack method of the Sednit group is an exploit kit, which we named Sedkit.

via eset welivesecurity blogwelivesecurity.com
CVE-2015-4902Java Deployment click-to-play bypass in Oracle Java SEExploited in the wild

The second main attack method of the Sednit group is an exploit kit, which we named Sedkit. | CVE-2015-4902 Java 0-day at the time Sedkit used it.

via eset welivesecurity blogwelivesecurity.com
CVE-2015-7645Adobe Flash Player crafted SWF remote code executionExploited in the wild

The second main attack method of the Sednit group is an exploit kit, which we named Sedkit. | CVE-2015-7645 Adobe Flash 0-day at the time Sedkit used it.

via eset welivesecurity blogwelivesecurity.com
CVE-2013-1347Microsoft Internet Explorer 8 CGenericElement Use-After-FreeExploited in the wild

The second main attack method of the Sednit group is an exploit kit, which we named Sedkit. | Table 3. Sedkit exploited vulnerabilities: CVE-2013-1347 Internet Explorer 8.

via eset welivesecurity blogwelivesecurity.com
CVE-2015-2590Oracle Java SE Libraries unspecified remote vulnerabilityExploited in the wild

CVE-2015-2590 Java 0-day at the time Sedkit used it. | The second main attack method of the Sednit group is an exploit kit, which we named Sedkit.

via eset welivesecurity blogwelivesecurity.com
CVE-2015-3043Adobe Flash Player memory corruption RCE/DoS (CVE-2015-3043)Exploited in the wild

The second main attack method of the Sednit group is an exploit kit, which we named Sedkit. | CVE-2015-3043 Adobe Flash 0-day at the time Sedkit used it.

via eset welivesecurity blogwelivesecurity.com
CVE-2014-1511Mozilla Firefox popup blocker bypassExploited in the wild

Table 3. Sedkit exploited vulnerabilities: CVE-2014-1510 / CVE-2014-1511 Firefox. | The second main attack method of the Sednit group is an exploit kit, which we named Sedkit.

via eset welivesecurity blogwelivesecurity.com
CVE-2013-3897Internet Explorer CDisplayPointer use-after-free memory corruptionExploited in the wild

Table 3. Sedkit exploited vulnerabilities: CVE-2013-3897 Internet Explorer 8. | The second main attack method of the Sednit group is an exploit kit, which we named Sedkit.

via eset welivesecurity blogwelivesecurity.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT28

Spear phishing campaigns or the SedKit exploit kit delivered the Seduploader first stage.

via sekoia blogblog.sekoia.io
MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1592Gather Victim Host InformationEvidence1

The purpose of this page is to build a report of the visitor’s machine... collect the visitor’s time zone... information on the visitor’s browser... information on the visitor’s screen... the list of installed browser plugins.

Initial Access

4 techniques
T1189Drive-by CompromiseEvidence2

“potential victims were redirected to its landing page through a watering-hole scheme.” / “exploit kits… perform drive-by downloads.”

T1190Exploit Public-Facing ApplicationEvidence1

“Sednit leveraged vulnerabilities… mostly Adobe Flash and Internet Explorer.” / “DealersChoice… embedded Adobe Flash Player exploits… selects one of three different vulnerabilities.”

T1566.002Spearphishing LinkEvidence2

“potential victims were redirected to its landing page through a watering-hole scheme… their preferred method consisted of malicious links embedded in emails… using popular stories… and redirecting targets that click on the emailed URL to the real website, but not before visiting the Sedkit landing page.” | “The attack usually starts with an email containing either a malicious link or malicious attachment.” / “their preferred method consisted of malicious links embedded in emails sent to Sednit’s targets.”

T1566.003Spearphishing via ServiceEvidence1

Figure 2. Main attack methods and malware used by the Sednit group since 2014... Attack methods: Fake webmail login panels.

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence2

One of the striking characteristics of the Sednit group is its ability to come up with brand-new 0-day vulnerabilities regularly. In 2015, the group exploited no fewer than six 0-day vulnerabilities... CVE-2015-2424 Office RCE, CVE-2015-3043 Flash, CVE-2015-1701 Windows LPE, CVE-2015-2590 Java, CVE-2015-4902 Java click-to-play bypass, CVE-2015-7645 Flash.

Command and Control

1 technique
T1071.001Web ProtocolsEvidence1

First, Seduploader simply sends an HTTP POST request to Google with a pseudo-randomly-generated URI path... Finally, the resulting encrypted data are sent as the body of an HTTP POST request. All communications with the C&C server are sent in the same manner.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
sekoia blogNews
Jun 11, 2026
APT28, an evolution of tradecraft - Sekoia.io Blog

An exploit kit used to deliver the Seduploader first stage in APT28 intrusion chains.

Read more
eset welivesecurity blogNews
Jan 25, 2026
Sednit espionage group now using custom exploit kit

Custom exploit kit attributed to Sednit used for watering-hole style redirections; fingerprints browser/plugins and serves a single Internet Explorer exploit per visit to deliver a payload.

Read more
eset welivesecurity blogNews
Mar 13, 2026

A Sednit exploit kit referenced as a deployment mechanism for Xagent.

Read more
eset welivesecurity blogNews
Mar 13, 2026

Custom exploit kit used in targeted attacks and watering-hole/phishing operations to fingerprint visitors, selectively deliver browser/plugin exploits, and then download and execute Sednit malware, usually Seduploader’s dropper.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities11

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.