Forecasting the exploit kit landscape

Michael Marriott | 15 September 2016

We’ve previously written on the most popular vulnerabilities that exploit kits are using. But how might the exploit kit market develop over the next year?

There are five identifiable of factors that may impact the status of the exploit kit marketplace.

  1. The resources held by exploit kit developers
  2. The amount of custom they received
  3. The duration for which an exploit kit has been active
  4. How frequently they are developed
  5. The disruption caused by law enforcement and security researchers.

Using these factors, we have outlined three plausible scenarios that encompass varying threat levels: Neutrino dominates, no more Neutrino, and new players.

Scenario 1: September 2017 – Neutrino dominates (same threat level)

Neutrino, Magnitude, RIG, Sundown and the Hunter exploit kit remain active and continue to compromise end users, continue to be developed incorporating new exploits and continue to be profitable. The Nuclear and Angler exploit kits have remained inactive since June 2016, therefore two of the previously most prominent exploit kits are not competing for the exploit kit market share. This has increased the amount of revenue for the remaining exploit kits, in turn providing their developers with more resources.

With more resources, the active exploit kits are developed at a higher rate than observed in 2016, incorporating more recent exploits and at a higher rate. However, RIG, Hunter and Sundown are not established enough to capitalize the most from the increased revenue, therefore Magnitude and Neutrino become the two most prominent. Despite this, Sundown developers have made continued attempts to compete in the market since June 2016, therefore this exploit kit is considered the third most prominent. The Neutrino exploit kit, having seemingly replaced Angler following its demise in June 2016, remains the most widely used and frequently developed exploit kit.


While the prominence of each of the active exploit kit has shifted in 12 months, the threat level posed by exploit kits overall has not changed. Any attempts by law enforcement and security vendors to disrupt exploit kit operations are circumvented by the exploit kit developers, and the number of detections of exploit kit activity has remained largely unchanged.

 Neutrino exploit kit payloads

Figure 1 - Neutrino exploit kit payloads

Scenario 2: September 2017 - No more Neutrino (lower threat)

Following the arrest of 50 individuals associated with the Lurk banking trojan and Angler exploit kit, as well as the reported disruption to the Nuclear exploit kit in June 2016, no activity from these kits has been detected. Because of this, law enforcement and security researcher attention has been focused on the Neutrino exploit kit, given it had become the most prominent following the demise of Angler. The fact Neutrino is offered to rent has presented opportunities for law enforcement and researchers to uncover more about Neutrino’s infrastructure, set up and its developers. Ultimately, this has allowed for an international law enforcement operation to be carried out against threat actors associated with it. The result of this is a cessation of Neutrino rental activity, as the developers feel it too high risk a project to continue. While Neutrino remains active, it is on a much smaller scale. 

The cessation of activity from another most prominent exploit kit caused by law enforcement disruption, one year after the demise of Angler, has impacted the threat level posed by exploit kits as a whole. While other exploit kits including RIG, Magnitude and Sundown remain active, its developers are less inclined to rent the kits due to fears of security.

The result of law enforcement and security researcher scrutiny against exploit kits has brought a further exploit kit’s operations to an end. In turn, this has made other exploit kit developers more cautious in their operations, impeding their ability to be as active as they were and generate as much revenue. Less widespread use has lowered the threat level posed by exploit kits in future.


Scenario 3: September 2017 - New players (higher threat)

The demise of Angler and the stoppage of Nuclear has encouraged developers to create their own exploit kits to capitalize on gaps in the marketplace. Following a trend of lowering the barriers to entry for cybercrime, the developers attempt to make these exploit kits as user-friendly as possible.

These new exploit kits are advertised publicly and are designed to be scalable, encouraging lower capability cybercriminals to use them with well-developed user interfaces and support features. These methods are largely copied from successful ransomware-as-a-service platforms, such as Cerber. Despite the entry of new players to the marketplace, the Neutrino, Magnitude, RIG, Sundown and Hunter exploit kits have all remained active and developed, and have benefited from the demise of Angler and Nuclear in that they have been acquiring more revenue than they had prior to June 2016.



Based on the drivers we included as part of our forecasting, it was assessed that the most likely scenario in 12 months’ time will be that exploit kits will continue to pose the same threat level as they have done in recent years. We have already detected demonstrable evidence of Neutrino exploit kit activity increasing since the demise of Angler and stoppage of Nuclear activity in June 2016. This, combined with the fact it has been active since 2013, will likely make it the most prominent exploit kit in future – closely followed by Magnitude.