{ "id": "39a52aa5-a8be-4386-a083-e84d43b9910d", "created_at": "2026-04-06T00:12:15.056034Z", "updated_at": "2026-04-10T03:20:27.801328Z", "deleted_at": null, "sha1_hash": "a173d8dced230ac3f1d5e80667531b8bd35cf775", "title": "Neutrino", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 228523, "plain_text": "Neutrino\r\nArchived: 2026-04-05 12:46:26 UTC\r\nShort bio\r\nThe Neutrino exploit kit is a malicious tool kit, which can be used by attackers who are not experts on computer\r\nsecurity. Threat actors can have zero coding experience and still use exploit kits like Neutrino to conduct their\r\nillegal activity.\r\nHistory\r\nExploit kits, sometimes referred to as exploit packs, are toolkits that automate the exploitation of client-side\r\nvulnerabilities, often targeting browsers and applications that a website can invoke through the browser. Known\r\nexploit targets have been vulnerabilities in Adobe Reader, Java Runtime Environment, and Adobe Flash Player.\r\nNeutrino began targeting CVE-2012-1723, CVE-2013-0431, and, CVE-2013-0422, all exploiting vulnerabilities\r\nin the Java Runtime Environment (JRE) component. It was marketed as a simple-to-use kit with a nicely user\r\nfriendly control panel.\r\nCommon infection method\r\nNeutrino toolkit compromises systems by targeting various vendor vulnerabilities on the victim’s machine.\r\nCampaigns targeting WordPress have been observed using dynamic iframe injection. The goal of the campaign\r\nwas to fully compromise the site, which included adding a webshell (Remote Access Tool (RAT) or backdoor),\r\nharvesting credentials, and finally injecting an iframe that loads a Neutrino landing page. The iframe is injected\r\ninto the compromised site immediately after the BODY tag, which resembles recent Angler samples. Threat actors\r\nwant to re-direct victims to their payload, which includes ransomware.\r\nAssociated families\r\nExploit kits/packs and ransomware.\r\nRemediation\r\nMalwarebytes Anti-Exploit stops Neutrino EK while Malwarebytes Anti-Malware already detects known dropped\r\nbinaries, such as Andromeda/Gamarue malware. Keep your system patched and keep your applications updated.\r\nAftermath\r\nSuccessful exploitation of a victim’s system varies but can lead to an encrypted executable download. The binary\r\nis decrypted and begins beaconing immediately, which can lead to CryptoWall.\r\nAvoidance\r\nhttps://blog.malwarebytes.com/threats/neutrino/\r\nPage 1 of 2\n\nIt is best to practice good security by keeping systems patched and programs updated. Furthermore, ensure you\r\nhave antivirus, anti-exploit, anti-malware protection. For even more protection, it is good to have a dedicated\r\nfirewall.\r\nScreenshots\r\nSource: https://blog.malwarebytes.com/threats/neutrino/\r\nhttps://blog.malwarebytes.com/threats/neutrino/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.malwarebytes.com/threats/neutrino/" ], "report_names": [ "neutrino" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434335, "ts_updated_at": 1775791227, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a173d8dced230ac3f1d5e80667531b8bd35cf775.pdf", "text": "https://archive.orkl.eu/a173d8dced230ac3f1d5e80667531b8bd35cf775.txt", "img": "https://archive.orkl.eu/a173d8dced230ac3f1d5e80667531b8bd35cf775.jpg" } }