{
	"id": "6dcc4538-771d-47bb-9d8d-553d6b615f34",
	"created_at": "2026-04-06T01:29:29.718689Z",
	"updated_at": "2026-04-10T03:23:15.613571Z",
	"deleted_at": null,
	"sha1_hash": "86a5dbfee919f1be072f83dbdc1f23fc78191c71",
	"title": "Meet Niteris EK (formerly known as CottonCastle)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 92718,
	"plain_text": "Meet Niteris EK (formerly known as CottonCastle)\r\nArchived: 2026-04-06 01:08:14 UTC\r\nThanks to an Independant researcher from Russia who shared some referer driving to an Exploit Kit on tcp 27005, I was\r\nable to meet again the \"Unknow EK\" that was first spotted by EKWatcher in September 2013.\r\nGET http://alabamarog.socket-render.info:5125/h2p/3/BG/f444ab1cfeb2945d149c03508367776f.dts\r\n200 OK (application/octed-stream)\r\nGET http://alabamarog.socket-render.info:5125/h2i/3/BG/c708c60762f6a35c5fce213eb840ce51\r\n200 OK (application/octed-stream)\r\n------------------------------------------\r\nOT: that infection chain was really interesting.\r\nOut of Topic 1 : the redirecting js on the compromised website is quite interesting\r\nThere are points that i have trouble to explain.\r\nThe day after the Counter have disappeared and the Exploit Kit seems not replying to hosts from RU/UA. Really strange\r\nwhen we see what those counter were like on the 5th :\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 1 of 13\n\nDistribution of OS  hiting the exploit Kit landing\r\n2014-06-06\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 2 of 13\n\nOne month of stats on the counter that was associated to the landing\r\n2014-06-05\r\n(note...EK is not associated to that counter right now)\r\nNow let's see how this Exploit Kit is \"weaponized\".\r\nCottonCastle : CVE-2013-0634\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 3 of 13\n\nSuccessfull pass for CVE-2013-0634 in CottonCastle (from CA)\r\n2014-06-06\r\n(post shellcode call missing here)\r\nGET http://afasaq.jax-updates\r\n.pw:4433/forum/view/3/494f2e325d7efeaa894484780954a500/http%3A%2F%2Fherites.in%2Ffeeling%2Ffdhsasfetgfvsaxa%2F\r\n203 Non-Authoritative Information (text/html)\r\nGET http://afasaq.jax-updates .pw:4433/forum/tracker/3/AC/be2a27de7a3778b96a858d59d4569ba4/348.338.161.453/\r\n200 OK (application/x-shockwave-flash)\r\nGET http://afasaq.jax-updates .pw:4433/forum/advertisement/3/AC/464feda74d209abca9a05f244f4d7f3e\r\n200 OK (text/html)  ( detailed in CVE-2013-2465 pass)\r\nGET http://afasaq.jax-updates .pw:4433/forum/torrents/3/AC/37e8ccf9bf7a70d40d877bb592bd788a\r\nIn that case i blocked the shellcode from  executing the payload.\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 4 of 13\n\nShellcode trying to execute payload.\r\nBut you should see that after infection\r\nGET http://afasaq.jax-updates .pw:4433/forum/posting/111/\r\n409 Conflict (text/html)\r\nHost IP:\r\n62.113.208.7\r\n47447 | 62.113.192.0/18 | TTM | DE | 23MEDIA.EU | 23MEDIA GMBH\r\nCottonCastle : CVE-2014-0515\r\nIt's the first time i see it in an Exploit Kit\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 5 of 13\n\nCVE-2014-0515 firing in CottonCastle from DE\r\n2014-06-05 - Flash 13.0.0.182\r\nGET http://ajigin.iam-updates\r\n.pw:4433/forum/view/3/f2fdfed9c68b57f0ce6427defab7aa08/http%3A%2F%2Fherites.in%2Ffeeling%2Ffdhsasfetgfvsaxa%2F\r\n203 Non-Authoritative Information (text/html)\r\nGET http://ajigin.iam-updates .pw:4433/forum/tracker/3/ED/333f38dc127936ab62ca5ce517c1ccd0/346.343.343.481/\r\nGET http://ajigin.iam-updates .pw:4433/forum/advertisement/3/ED/4babaee37c31c47fe9dadc004f7a8732\r\n200 OK (text/html) ( detailed in CVE-2013-2465 pass)\r\nGET http://ajigin.iam-updates .pw:4433/forum/torrents/3/ED/277ff652f2cb92471a6abfd2a5f26341\r\nGET http://ajigin.iam-updates .pw:4433/forum/posting/111/\r\n409 Conflict (text/html)\r\nCottonCastle : CVE-2013-2465\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 6 of 13\n\nCottonCastle firing code exploiting CVE-2013-2465 to java6u45\r\n2014-06-06\r\nGET http://abuzuc.jax-updates\r\n.pw:4433/forum/view/3/f379a32d59f0fe08d75cecbb9b12b558/http%3A%2F%2Fherites.in%2Ffeeling%2Ffdhsasfetgfvsaxa%2F\r\n203 Non-Authoritative Information (text/html)\r\nNote : \"OrbitWhite\" is the rc4 for the rc funtion in the jar file.\r\nSession after Hex2bin and rc4 decryption : http://abuzuc.jax-updates.pw:4433/forum/advertisement/3/AC/b87f6bc7ee855098e825312e151cc54c\r\nGET http://abuzuc.jax-updates .pw:4433/forum/profile/3/AC/874a6ece58907e1f46934ea503aede0d.djvu\r\n200 OK (text/html)  \r\nGET http://abuzuc.jax-updates .pw:4433/forum/topic/3/AC/c94043e9a1ef9b59b382d5803fa3dadd.mkv\r\n200 OK (application/octed-stream)  Exploit for CVE-2013-2465\r\nGET http://abuzuc.jax-updates .pw:4433/forum/advertisement/3/AC/b87f6bc7ee855098e825312e151cc54c\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 7 of 13\n\nGET http://abuzuc.jax-updates .pw:4433/forum/torrents/3/AC/7dc49f51e16116534357d5918c33a29a\r\nOnce again i blocked the payload execution but if infected you should get :\r\nCall back to EK once payload is executed\r\nGET abuzuc.jax-updates  .pw:4433/forum/posting/111/\r\n409 Conflict (text/html) \r\nCottonCastle : CVE-2013-0422\r\nI won't go in as much detailed as i did for CVE-2013-2465 but it's the same approach\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 8 of 13\n\nGET http://bzycok.key-updates\r\n.pw:4433/forum/view/3/8216ed0f457b3ac54ca52cd13383fe25/http%3A%2F%2Fleveloped.in%2Fgovernment%2F70d83bde3d5f7e09\r\n203 Non-Authoritative Information (text/html)\r\nGET http://bzycok.key-updates .pw:4433/forum/profile/3/LN/0d240529777cb6a302fdbbc437633a3d.djvu\r\n200 OK (text/html)\r\nGET http://bzycok.key-updates .pw:4433/forum/topic/3/LN/5453f6a894b378e19e5af7cce177803c.mkv\r\n200 OK (application/octed-stream) 4724436c4f4a0d3406142b8cb9bee3c3\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 9 of 13\n\nPiece of CVE-2013-0422 in CottonCastle 2014-06-06\r\nGET http://bzycok.key-updates .pw:4433/forum/advertisement/3/LN/54642665c1bd63f868f64db861c8a953\r\n200 OK (text/html)   Encoded VBS\r\nGET http://bzycok.key-updates .pw:4433/forum/topic/3/LN/5453f6a894b378e19e5af7cce177803c.mkv\r\n409 Conflict (text/html)\r\nGET http://bzycok.key-updates .pw:4433/forum/torrents/3/LN/1053ddb4e24bf9361a07d6bd5ed345ba\r\n200 OK (application/x-bittorrent)  \u003c Decoded Payload : 22e98a119b8e0f1c0616fd7e377d0ec6 same familly as previous.\r\nGET http://bzycok.key-updates .pw:4433/forum/posting/111/\r\n409 Conflict (text/html)\r\nCottonCastle : CVE-2013-2460\r\nOnce again I won't go in as much detailed as i did for CVE-2013-2465 but same approach\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 10 of 13\n\nCVE-2013-2460 in CottonCastle : 2\r\nGET http://bkysur.key-updates\r\n.pw:4433/forum/view/3/22bd553e598f5b43b7cfee1ee2630080/http%3A%2F%2Fleveloped.in%2Fgovernment%2F70d83bde3d5f7e09\r\n203 Non-Authoritative Information (text/html)\r\nGET http://bkysur.key-updates .pw:4433/forum/profile/3/AC/bbce0e49bfc08250668441d0b80b7a63.djvu\r\n200 OK (text/html)\r\nGET http://bkysur.key-updates .pw:4433/forum/topic/3/AC/f2fe8bbc9c621e65a054598f8109a9a3.mkv\r\n200 OK (application/octed-stream)  be66263cd1524b72423c0b5ec8094113\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 11 of 13\n\nCVE-2013-2460 in CottonCastle 2014-06-06\r\nGET http://bkysur.key-updates .pw:4433/forum/topic/3/AC/f2fe8bbc9c621e65a054598f8109a9a3.mkv\r\n409 Conflict (text/html)\r\nGET http://bkysur.key-updates .pw:4433/forum/advertisement/3/AC/540ff821785fd90aeed5e30ee351a6c9\r\n200 OK (text/html) Encoded VBS\r\nGET http://bkysur.key-updates .pw:4433/forum/torrents/3/AC/bc5215485d8c485b2b277a5f569a6bad\r\n200 OK (application/x-bittorrent)\r\nGET http://bkysur.key-updates .pw:4433/forum/posting/111/\r\n409 Conflict (text/html)\r\nCottonCastle : CVE-2013-2551:\r\nThis CVE has been captured by Set_Abominae and covered by Malwageddon and identified by regenpijp1\r\nI may update this post later once i face it.\r\nThis Exploit Kit is not widely used (maybe only by the operators Corkow botnet - and 2nd TDS).\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 12 of 13\n\nSource: https://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nhttps://malware.dontneedcoffee.com/2014/06/cottoncastle.html\r\nPage 13 of 13\n\nHost IP: 62.113.208.7   \n47447 | 62.113.192.0/18 | TTM | DE | 23MEDIA.EU | 23MEDIA GMBH\nCottonCastle : CVe-2014-0515  \nIt's the first time i see it in an Exploit Kit \n   Page 5 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malware.dontneedcoffee.com/2014/06/cottoncastle.html"
	],
	"report_names": [
		"cottoncastle.html"
	],
	"threat_actors": [
		{
			"id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa",
			"created_at": "2022-10-25T16:07:23.494355Z",
			"updated_at": "2026-04-10T02:00:04.629595Z",
			"deleted_at": null,
			"main_name": "Corkow",
			"aliases": [
				"Corkow",
				"Metel"
			],
			"source_name": "ETDA:Corkow",
			"tools": [
				"Corkow",
				"Metel"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775438969,
	"ts_updated_at": 1775791395,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/86a5dbfee919f1be072f83dbdc1f23fc78191c71.pdf",
		"text": "https://archive.orkl.eu/86a5dbfee919f1be072f83dbdc1f23fc78191c71.txt",
		"img": "https://archive.orkl.eu/86a5dbfee919f1be072f83dbdc1f23fc78191c71.jpg"
	}
}