{
	"id": "ba3c5e53-ce5b-4476-97e7-7473dd4aa3ef",
	"created_at": "2026-04-06T00:22:19.259525Z",
	"updated_at": "2026-04-10T13:11:35.296423Z",
	"deleted_at": null,
	"sha1_hash": "b41c0a120ea5d52f7ba5b01995e313dd2a7d9a67",
	"title": "nao-sec.org",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 345429,
	"plain_text": "nao-sec.org\r\nBy nao_sec\r\nPublished: 2021-04-15 · Archived: 2026-04-05 16:06:32 UTC\r\nExploit Kit still sharpens a sword\r\n2021-04-15\r\nNote: This blog post doesn’t make sense to many\r\nIt’s 2021 now. Moreover, the quarter has already passed. I thought Drive-by Download attack was dead four years\r\nago. Angler Exploit Kit has disappeared, pseudo-Darkleech and EITest campaign have disappeared, and RIG\r\nExploit Kit has also declined. At that time, Drive-by Download attack was definitely supposed to die. However,\r\neven if in 2021, it will not disappear fire still slightly.\r\nIn April 2021, I received some incredible notices. For example, there are the following notifications.\r\nPurpleFox Exploit Kit has started exploiting CVE-2021-26411\r\nRIG Exploit Kit has started exploiting CVE-2021-26411\r\nBottle Exploit Kit is back, and has started exploiting CVE-2020-1380 and CVE-2021-26411\r\nUnderminer Exploit Kit is back\r\nRepeat again. It’s 2021 now. Not 2017. Internet Explorer was taken away by Chrome and Edge, and Drive-by\r\nDownload attack was supposed to die. Why are there still Drive-by Download attacks? Here are some reasons,\r\nincluding the opinions of your friends.\r\n1. Internet Explorer is still used in some countries/regions including Japan\r\n2. Due to the influence of corona, remote work has increased, and the number of users with network security\r\nvulnerabilities has increased\r\n3. Internet Explorer vulnerabilities still discovered and exploit code published\r\nIn reality, these are intricately intertwined, and there may be different reasons.\r\nIn any case, Drive-by Download attacks are still being observed. Moreover, it is a little more active. This is\r\nirrelevant for most people. Because most people don’t use Internet Explorer. If you don’t use Internet Explorer, a\r\ntypical Exploit Kit attack is not a threat. A small number of targeted attacks may use Chrome’s 0day, which is not\r\ndiscussed here.\r\nFor the few enthusiastic Internet Explorer users that exist, I write this blog post. In other words, as of April 2021, I\r\nwill introduce the characteristics of common Drive-by Download attacks that you may encounter. Thanks to my\r\nfriends (@jeromesegura, @nao_sec members) for helping me write this blog post.\r\nExploit Kit Landscape\r\nhttps://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html\r\nPage 1 of 5\n\nAs of April 2021, the following 6 types of Exploit Kits have been observed to be active.\r\nRIG\r\nSpelevo\r\nPurpleFox\r\nUnderminer\r\nBottle\r\nMagnitude\r\nnao_sec has been running a fully automatic Drive-by Download attack observation environment called Augma\r\nSystem[1] for three years. The data observed by this is as follows. Some Exploit Kits are not counted because they\r\nare observed in different environments.\r\nThe features of the 6 types of Exploit Kits currently observed are as follows.\r\n  Private Update Exploit\r\nRIG No Yes CVE-2020-0674, CVE-2021-26411\r\nSpelevo No No CVE-2018-8174, CVE-2018-15982\r\nPurpleFox Yes Yes CVE-2021-26411\r\nUnderminer Yes No CVE-2018-15982\r\nBottle Yes Yes CVE-2020-1380, CVE-2021-26411\r\nMagnitude Yes Yes CVE-2021-26411\r\nHere is sample traffic for each.\r\nhttps://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html\r\nPage 2 of 5\n\nRIG Exploit Kit\r\nRIG is an Exploit Kit that has been active since around 2014. It was extremely active from 2016 to 2017, but then\r\ndeclined with the advent of Fallout and others. However, it is still active in 2021.\r\nRIG started abusing CVE-2021-26411 in April 2021 and are still incorporating changes. Landing Pages are not\r\nobfuscated as they used to be. Very simple code. The malware is RC4 encrypted.\r\nDownload sample traffic here.\r\nSpelevo Exploit Kit\r\nSpelevo is an Exploit Kit that appeared in 2019. 2020 was very mature, but 2021 is one of the most active Exploit\r\nKits.\r\nSpelevo hasn’t changed for a long time. Spelevo hides the malware in the image. See this article[2] for detailed\r\nbehavior.\r\nDownload sample traffic here.\r\nPurpleFox Exploit Kit\r\nPurpleFox is an Exploit Kit that has been active since 2019. A private exploit kit for sending PurpleFox malware.\r\nIt’s enthusiastic about exploit and is fairly fast at incorporating new vulnerabilities.\r\nSpelevo has started to exploit CVE-2021-26411 in April 2021. However, the other parts have not changed for a\r\nlong time.\r\nhttps://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html\r\nPage 3 of 5\n\nDownload sample traffic here.\r\nUnderminer Exploit Kit\r\nUnderminer is an Exploit Kit that appeared in 2018. It’s a pretty distinctive Exploit Kit. It is known to be\r\nextremely difficult to analyze. It is used to deliver its unique malware called Hidden Bee. See this article[3] for\r\nmore details.\r\nUnderminer has a cycle of activity for several months and then silence for several months. It has been silent since\r\nthe November 2020, but was revived in April 2021. But the essence hasn’t changed at all.\r\nDownload sample traffic here.\r\nBottle Exploit Kit\r\nBottle is an Exploit Kit that appeared in 2019. An extremely rare Exploit Kit that targets only Japan. It is used to\r\ndeliver its unique malware called Cinobi.\r\nIt is one of the most active Exploit Kits in Japan. It has not been observed since November 2020, but it was\r\nrevived in April 2021. It’s also worth noting that unlike other Exploit Kits, it exploits CVE-2020-1380 and CVE-2021-26411. It has been pointed out that it is related to MageCart and phishing campaigns. See this article[4] for\r\nmore details.\r\nhttps://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html\r\nPage 4 of 5\n\nDownload sample traffic here.\r\nMagnitude Exploit Kit\r\nMagnitude is one of the oldest existing Exploit Kits. It has been observed only in certain countries/regions such as\r\nSouth Korea and Taiwan, and the details have not been reported much.\r\nIts activity was also reported in April 2021. It exploits CVE-2021-26411 and is still actively evolving.\r\nOne more: #MagnitudeEK pic.twitter.com/pOuIZzAPZG\r\n— Jérôme Segura (@jeromesegura) April 14, 2021\r\nFinally\r\nDrive-by Download attacks are still observed in 2021. It has nothing to do with most people. As with Adobe Flash\r\nPlayer, stop using Internet Explorer immediately. That is the simplest solution. Drive-by Download attacks\r\ncontinue to exist with Internet Explorer.\r\nReferences\r\n[1] https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-KoikeChubachi.pdf\r\n[2] https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit\r\n[3] https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/\r\n[4] http://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_103_koike-takai_jp.pdf\r\nSource: https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html\r\nhttps://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html"
	],
	"report_names": [
		"exploit-kit-still-sharpens-a-sword.html"
	],
	"threat_actors": [
		{
			"id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0",
			"created_at": "2022-10-25T15:50:23.710403Z",
			"updated_at": "2026-04-10T02:00:05.281246Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"Whisper Spider"
			],
			"source_name": "MITRE:Silence",
			"tools": [
				"Winexe",
				"SDelete"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7",
			"created_at": "2025-03-29T02:05:20.764715Z",
			"updated_at": "2026-04-10T02:00:03.851829Z",
			"deleted_at": null,
			"main_name": "GOLD WYMAN",
			"aliases": [
				"Silence "
			],
			"source_name": "Secureworks:GOLD WYMAN",
			"tools": [
				"Silence"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "88e53203-891a-46f8-9ced-81d874a271c4",
			"created_at": "2022-10-25T16:07:24.191982Z",
			"updated_at": "2026-04-10T02:00:04.895327Z",
			"deleted_at": null,
			"main_name": "Silence",
			"aliases": [
				"ATK 86",
				"Contract Crew",
				"G0091",
				"TAG-CR8",
				"TEMP.TruthTeller",
				"Whisper Spider"
			],
			"source_name": "ETDA:Silence",
			"tools": [
				"EDA",
				"EmpireDNSAgent",
				"Farse",
				"Ivoke",
				"Kikothac",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"Meterpreter",
				"ProxyBot",
				"ReconModule",
				"Silence.Downloader",
				"TiniMet",
				"TinyMet",
				"TrueBot",
				"xfs-disp.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434939,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b41c0a120ea5d52f7ba5b01995e313dd2a7d9a67.pdf",
		"text": "https://archive.orkl.eu/b41c0a120ea5d52f7ba5b01995e313dd2a7d9a67.txt",
		"img": "https://archive.orkl.eu/b41c0a120ea5d52f7ba5b01995e313dd2a7d9a67.jpg"
	}
}