Angler Exploit Kit is an exploit kit used in malvertising and drive-by download campaigns to exploit vulnerabilities in visitors’ browsers and browser plugins in order to deliver malware. The provided content states it was used to redirect victims from malicious advertisements to attacker-controlled sites, where browser vulnerabilities were exploited to infect systems, including delivery of the Reveton ransomware. In the cited examples, Angler was associated with malvertising on adult websites and with drive-by download activity. The content specifically mentions exploitation of Adobe Flash, Microsoft Silverlight, and Oracle Java, and notes that encrypted malcode delivery was first observed in Angler in 2015. Angler is also linked in the content to the Russian Lurk gang, and its operation is described as having effectively disappeared after arrests of Lurk members in June 2016; the content also refers to the high-profile demise of Angler Exploit Kit in June 2016. High-confidence indicators and contextual details directly mentioned include its use in browser-based exploitation, malvertising-driven redirects, delivery of Reveton, and historical association with the Lurk gang.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These sites ran a version of the Angler exploit kit, which exploited vulnerabilities in visitors' browsers to infect them with malware, and more specifically with Reveton.
4 distinct techniques documented for this family, organized by ATT&CK tactic.
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Browser-based exploit kit historically used in malvertising to exploit client-side vulnerabilities (notably via Flash-era vectors) to deliver malware payloads.
Referenced as an earlier exploit kit known for encrypted malcode delivery; mentioned for historical comparison with POISON CARP's iOS exploit delivery approach.
Exploit kit used in malvertising-driven drive-by downloads; redirects victims to a malicious site to exploit vulnerabilities in common web plugins/extensions (e.g., Adobe Flash, Microsoft Silverlight, Oracle Java) to deliver malware.
Exploit kit referenced as an early example of using encrypted payload delivery techniques later mirrored by other exploit frameworks.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.