An exploit kit (sometimes referred to as “exploit pack”, abbreviated EK) is a framework that automates on the server side the discovery and exploitation of software vulnerabilities with the goal of delivering malware at scale. Hosted on attacker-controlled infrastructure and typically reached through a compromised website, it dynamically selects from a collection of exploits based on the target's environment.
In practice, this means a curated library of exploits, delivery logic, and command-and-control components that are continuously maintained so that a threat actor can run exploitation campaigns without ever writing an exploit from scratch. The operator doesn't need to understand the vulnerability. They just need access, a shift that matters because exploitation stops being a specialist capability and becomes an operational process.
Historically, exploit kits have focused on client-side attack surfaces like web browsers and browser-adjacent components such as plugins and runtimes. What made browsers the ideal target is the fact that they are universally exposed, deeply integrated with user activity, and rich in exploitable complexity.
Distribution matters as much as design in the case of EK. They are rarely built for a single operator, following a crimeware-as-a-service model in which operators maintain the infrastructure and exploit library. Other threat actors rent access to run campaigns, often through interfaces and update cycles that resemble legitimate software subscriptions. The expertise required to build an exploit is less relevant to the person deploying it, a separation that turned exploitation into a scalable criminal service.
An exploit is a piece of code, sometimes just a few lines, that is built to trigger a specific software or hardware vulnerability. The goal is to force unintended behavior: arbitrary code execution, privilege escalation, unauthorized access. But an exploit is not the malware itself. It's the malicious code that creates the opening, and the payload that follows does the actual damage.
A single, purpose-built artifact designed to work under narrow conditions (typically tied to a particular software version or configuration), an exploit differs from an exploit kit in scope. One targets a vulnerability. The other aggregates many exploits into a coordinated system and applies them at scale.
Exploit vs. Exploit Kit
|
Aspect |
Exploit |
Exploit Kit |
|
Purpose |
Targets a specific vulnerability |
Runs exploitation campaigns across many targets at once |
|
Scope |
One vulnerability, one flaw |
Bundles dozens of exploits under a single framework |
|
Components |
Malicious code written for a single flaw |
Full framework: exploit library, traffic filtering, payload delivery, C&C panel |
|
Target knowledge |
The attacker already knows (or assumes) which vulnerability to hit |
Profiles the target environment and picks the right exploit automatically |
|
Role |
A technical mechanism - the tool itself |
An operational platform for managing campaigns |
|
Evasion |
Code-level techniques to avoid detection |
Layered evasion: traffic filtering, geo-fencing, anti-analysis checks |
A single web visit, no click, no download prompt, no user mistake. That is the premise of a drive-by download attack, and it is the model exploit kits are built around. Where phishing depends on convincing a victim to act, exploit kits place the entire burden on the attacker’s infrastructure.
The chain follows a consistent pattern:
The entire sequence from first contact to payload execution typically completes in seconds, which means that it is virtually impossible for the user to intervene manually.
MITRE ATT&CK mapping: This chain falls under Initial Access: T1189 - Drive-by Compromise, which covers client-side exploitation triggered by visiting a malicious or compromised site. Worth noting the distinction with T1190 - Exploit Public-Facing Application: that technique describes server-side attacks against exposed services, where the attacker's target is infrastructure rather than the end user's browser.
The infection chain described above runs on layered infrastructure. Each component maps to a stage in that chain, and together they form what is best described as a modular exploit kit, each piece replaceable without rebuilding the whole.
Traffic distribution and redirection layer (TDS): Not every visitor to a compromised site ends up at the exploit kit. The TDS sits in front of the kit's infrastructure and filters incoming traffic before anything else happens, passing through users who look like viable targets while redirecting security researchers, known bots, and visitors from the wrong geography to harmless pages. URL rotation, domain generation, and fast-flux DNS keep the infrastructure cycling fast enough to stay ahead of blocklists.
Landing page: The controlled execution environment where the kit’s logic runs, served through obfuscated, frequently rotated URLs.
Fingerprinting module: Implemented through JavaScript running in the browser, this component collects details about the environment like browser version, operating system, installed plugins, and other signals that indicate whether a target is exploitable. More advanced variants also check for virtual machines or sandbox conditions and simply stop if they detect analysis.
Exploit repository: The kit maintains a set of exploits mapped to specific vulnerabilities and target applications. Entries are added and removed as targets change, allowing the exploit set to stay current without reworking the rest of the system.
Payload delivery mechanism: The next stage is executed on the host through in-memory techniques, but file-based delivery or staged binaries can also be observed.
Administration and telemetry interface: Operators manage campaigns through an administration user interface with real-time visibility into campaign performance and targeting parameters. Many builds run on common web stacks, open-source components such as PHP, Apache, and MySQL.
Vulnerabilities
Exploit kits were engineered around one core observation: users don’t patch quickly, and attackers don’t need them to. The software categories that defined the EK peak era were chosen because they were ubiquitous, complex, and consistently behind on updates.
Exploit Kit Targets At a Glance
|
Software Target |
Typical Vulnerabilities |
Notes |
|
Adobe Flash Player |
Dominant EK target pre-2020; CVE-2015-5119 exposed in the Hacking Team breach was weaponized within days |
|
|
Java Runtime (JRE) |
Early EK staple; declined as browser support was removed |
|
|
Internet Explorer & Windows scripting |
Sustained EK activity post-Flash via VBScript/JScript engines |
|
|
Microsoft Silverlight |
Legacy plugin attack surface |
|
|
Adobe Reader |
Various PDF exploit vectors |
Document rendering exploited within browser context |
Exploit kits weren't built so much around finding new flaws, but rather using the gap that appears between when a patch drops and when organizations actually deploy it. Ponemon Institute research put that window at 16-17 days on average for critical vulnerabilities, and respondents reported breaches even when the fix was already available. Recent data shows the gap continuing to shrink: nearly 29% of known vulnerabilities in 2025 were exploited on or before the day the CVE was published.
With Flash and Java now deprecated, current EK operators have concentrated on IE/Edge legacy mode, Windows scripting components, and zero-day vulnerabilities where no patch window exists at all.
Initial Access Vectors
Two mechanisms have historically funneled victims into the exploit kit chain.
Malvertising allows threat actors to purchase or compromise ad inventory through real-time bidding platforms, placing exploit kit redirects in front of visitors to high-traffic sites, with Yahoo, YouTube, and MSN among documented targets. The site operator has no visibility into what the ad network serves. Increasingly, these campaigns combine technical redirection with social engineering lures such as fake browser update prompts or CAPTCHA challenges, especially as fully silent exploitation has become less reliable.
Watering hole attacks take a more targeted path: EK code is injected into a compromised website that a specific audience frequents. The LightsOut EK compromised the website of a law firm with energy-sector clients, a precise audience with no reason to suspect the site.
Secondary vectors include iframe injection into compromised CMS platforms (WordPress, Joomla) and spam email redirect chains that deposit victims at the landing page through a sequence of forwarded links.
A drive-by download attack occurs when a user’s browser or plugin is exploited simply by visiting a webpage. No file to open, no prompt to accept. The visit itself is the trigger.
Web exploit kits are built around exactly that model. Traffic reaches the landing page through malvertising or a compromised website. From there, the exploit kit takes over the process automatically, using the visitor's environment to determine whether exploitation is possible.
This is where it differs from phishing. Phishing depends on user action. A drive-by download does not, browsing alone is enough.
Document-based “exploit kits” (often called exploit builders) bundle multiple exploits into weaponized files - Office documents or PDFs - targeting components like OLE (Object Linking and Embedding), Equation Editor, or embedded Flash. They do not rely on drive-by traffic.
Delivery depends on social engineering: typically phishing emails that convince the user to open the document. Once opened, the embedded exploits trigger and execute malicious code within the document-handling application. ThreadKit and VenomKit are representative examples.
The exploit-bundling concept overlaps with web EKs, but the delivery path, execution context, and telemetry signatures are different enough to treat them as a distinct category.
Payload delivery is conditional. It occurs only after the exploit kit has identified a viable vulnerability and successfully executed the exploit. If those steps fail, nothing lands on the machine.
During the EK peak era, the kit itself was secondary and what mattered was the payload it carried, common categories being ransomware, banking trojans and remote access tools that intercepted credentials or provided persistent control, as well as information stealers which harvested passwords, session tokens, stored browser data, etc.
Botnets were another common payload, that is, infected systems enrolled into remotely controlled networks, often without any visible sign of compromise. File downloaders served a staging function, pulling and executing secondary malware after the initial foothold was established. The Neutrino kit ran exactly this sequence at scale, using it to distribute Locky ransomware across large numbers of targets.
Exploit kits didn't emerge fully formed. They were built up commercially, refined through competition, and eventually hollowed out by the same platform changes that made them effective in the first place.
MPack / WebAttacker (2006): The early proof of concept for the commercial model. Bundled exploits, centralized management, and sale on underground forums is the template that every kit afterward borrowed from.
Blackhole EK (2010–2013): For several years, this was effectively the default exploit kit in active campaigns. Its rental model made it widely accessible, and its collapse followed the arrest of its author (“Paunch”), which disrupted the ecosystem around it almost immediately.
Nuclear EK: Active through the mid-2010s, Nuclear worked the Flash, Internet Explorer, and PDF attack surfaces. It supported multi-vector campaigns and delivered ransomware such as CryptoWall 4.0 before fading as those attack surfaces were removed.
Angler EK: The technical high-water mark. Angler combined zero-day integration with a highly optimized redirection infrastructure. It went inactive in 2016 following the arrest of members of the Lurk cybercrime group.
Neutrino EK: Originally positioned as a successor to Blackhole, Neutrino shifted over time toward ransomware distribution, including campaigns that delivered Locky. Activity dropped off and the kit ceased operations in 2017.
RIG EK: RIG appeared after Angler declined and remains one of the few exploit kits still seen in the wild. It runs at lower volume than its peak-era predecessors, mostly showing up against unpatched systems and environments still running legacy browsers.
Magnitude EK: Built around Internet Explorer vulnerabilities, Magnitude never scaled globally but never disappeared either. It has kept a foothold through regional campaigns, particularly in parts of Asia where older browser versions stayed in use longer.
Fallout EK: Relied on malvertising chains and delivered both ransomware and information stealers, a clear example of the continued link between exploit kits and financially motivated payloads.
ClearFake: A contemporary, EK-adjacent framework that reflects how the model has shifted. Rather than silent exploitation, ClearFake uses fake browser update lures that require user execution, blending exploit kit infrastructure with social engineering techniques.
MPack and Blackhole proved the commercial model worked. Angler showed how far it could be pushed technically, integrating zero-days and optimizing delivery chains in ways that kept it ahead of defenses. By the mid-2010s, exploit kits were a standard distribution layer for ransomware and credential theft operations.
Exploit kits did not disappear all at once, their role just narrowed over time because of the environmental changes. The model became harder to sustain as browser security improved, legacy plugins were removed, and several operators were disrupted. What remained were smaller operations. Kits like RIG and Magnitude continued to appear, but mostly in legacy environments or in regions where older software was still in use. More recent frameworks such as ClearFake kept the web-based delivery approach but shifted toward user-triggered execution instead of relying on silent exploitation.
The surrounding ecosystem changed as well. Exploit kits are now often one stage in a larger crimeware chain, providing initial access that other actors use. Public kits tend to rely on known vulnerabilities, while more controlled frameworks used by advanced actors incorporate non-public zero-day vulnerabilities.
Some of the design patterns still carry over into current attack methods. Generative AI is being tested for code variation and for producing evasive landing content, although fully autonomous exploit kits have not been observed. Current campaigns show some directional movement toward session token theft and OAuth abuse. Attacking authentication state rather than software flaws sidesteps the patch cycle entirely, which suggests where pressure will continue to build regardless of what happens to exploit kit infrastructure specifically.
No single alert is definitive. Patterns matter. Effective detection of exploit kit activity depends on correlating weak signals across host and network layers.
Endpoint level. Endpoint protection platforms like EDR can reveal telemetry about the exploit tied to browser processes such as unusual child process creation (e.g., browser to wscript/powershell), unsigned module loads, obfuscated script fetches, suspicious RWX memory allocations.
Network side. Intrusion detection systems should normally flag anomalous web behavior such as chained redirects, unexpected iframe or script loads, high-entropy URL patterns.
However, the strongest signal comes from correlating browser activity with abnormal process execution, consistent with MITRE ATT&CK detection strategies for T1189 (Drive-by Compromise).
Useful telemetry sources include: browser and application logs, process creation events, network flows, proxy and web gateway data; full URL paths and referrers are what make it possible to reconstruct a redirect chain during incident response (IR). Encrypted traffic is a real limitation here: where inspection isn't possible, parts of the delivery chain simply won't show up in the logs.
Proxy logs are usually where investigation starts. The redirect chain appears as a sequence of 302s with randomized URI paths, and the referrer headers frequently don't match - domains that have no business being connected to each other showing up in sequence. That's typically the first thing that looks off.
PCAP data can fill in gaps. JA3 TLS fingerprints and unusual HTTP responses from landing pages are worth pulling, but on their own they won't tell you whether you're looking at an exploit kit or something else, they need to be read alongside the other evidence.
On the host, the challenge is that most traces disappear quickly. Browser memory injections and shellcode fragments are gone after a reboot, and signs of ROP-based exploitation won't show up in a standard disk examination. If host-level analysis is needed, it has to happen before the machine is touched, and it requires memory forensics tooling, not a standard IR workflow.
The goal should be kept at as practical a level as possible: reduce what can be reached, limit what can run if something gets through anyway.
Vulnerability management and patching
Patching remains the most direct control against exploit-driven compromise: exploit kits exist precisely because patch deployment takes time. That gap is what they're built around, which makes SLAs and coverage verification something worth actually enforcing rather than assuming. Enforcing automatic updates for browsers and operating systems reduces reliance on manual processes. Continuous asset visibility ensures no unmanaged or legacy systems sit exposed. Removing deprecated plugins and unsupported software eliminates entire classes of historically exploited vulnerabilities, that is, direct attack surface reduction.
Platform hardening and execution control
Hardening the browser and OS directly reduces how reliably exploits execute. A vulnerability that exists but can't be triggered cleanly is considerably less useful to an attacker, and that gap can be widened deliberately. Restricting legacy scripting engines and controlling what web content is permitted to execute push in that direction without requiring a patch to exist first. Application control policies work on the same logic. Memory protections operate differently: the underlying vulnerability may still be present, but the exploitation technique that depends on it stops working. Least privilege operates at a different stage, it doesn't prevent execution, but it limits what execution actually means. An attacker contained to a low-privilege process in a segmented environment is a different problem than one who lands with room to move.
Web traffic inspection and content controls
As we said multiple times, exploit kits depend on untrusted web content as an entry point, so the logical conclusion is that intrusion prevention systems and secure web gateways are a valid way to block known exploit infrastructure. In some cases, these can also reveal redirect patterns that don't match normal browsing behavior.
For reducing malvertising exposure, an important EK entry vehicle, control over third-party content (particularly ad delivery networks) is important, considering that attackers constantly manage to find gaps in ad verification. When threat intelligence is integrated into the mix, controls can be updated faster when the feed quality is high enough. At the gateway layer, selective static analysis can catch obfuscated scripts before execution. As useful as this is, it cannot be a substitute for patching the vulnerabilities those scripts are trying to reach.
Exploit Kits in the MITRE ATT&CK
The MITRE framework includes EK activity under T1189 (Drive-by Compromise) and T1203 (Exploitation for Client Execution). M1021 is the corresponding mitigation, blocking untrusted scripts, limiting browser plugins, filtering at the gateway. It's not foolproof though. Angler's operators were integrating zero-days faster than patches existed, so that first layer sometimes simply wasn’t there.
For incident response, the same principle applies: if the post-incident review doesn't result in actual fixes, the same attack path stays open.
Exploit kits succeed by chaining stages together - traffic redirection, environment profiling, exploitation, payload delivery. Stopping them reliably means applying controls across that sequence, not betting on a single layer catching everything. GravityZone is built around that logic.
Reducing the attack surface: Exploit kits are built around the gap between when a fix is available and when it actually reaches the endpoint. Patch Management automates the detection and deployment of updates, shrinking that window without relying on manual processes. GravityZone PHASR goes a step further: it analyzes how built-in system tools are actually used in the environment and restricts access to those that aren't needed, cutting off the utilities that exploit payloads frequently abuse once they get past the browser.
Blocking the redirection chain: Before an exploit kit can profile a target, the browser has to reach the landing page. Content Control restricts access to known malicious IPs and domains, reducing the likelihood that a malvertising redirect or compromised site ever makes contact with the endpoint.
Stopping the exploitation phase: Exploit Defense monitors memory allocation and API calls throughout. If something tries to hijack a browser process or manipulate a document reader, that's where it gets caught, including techniques aimed at vulnerabilities with no patch yet available. Shellcode running entirely in memory falls within the same coverage.
Detection and response: EDR and XDR give visibility into what happened and in what order, from the initial redirect through to execution. For teams that need continuous coverage, Bitdefender MDR puts analysts directly in the response loop rather than waiting for an internal team to pick it up.
A VPN is used to encrypt traffic and mask your IP address, but can it protect you from an EK is more related to the fact that a VPN has no visibility into the content your browser receives and processes. When a compromised site or a malvertising redirect is encountered, the EK code is delivered and executed locally. That means that the network path is irrelevant to whether exploitation succeeds. Exploit kits operate at the application layer, targeting vulnerabilities in the browser or exposed components. In other words, what determines the outcome is the patch state of the endpoint, not how traffic reached it.
Exploit kits are automated criminal platforms built for mass exploitation. The whole chain runs without sustained operator involvement: traffic gets acquired, victims get profiled, exploits get selected, payloads get delivered. Red team frameworks like Metasploit or Cobalt Strike are manually operated tools used in authorized testing that provide exploit capabilities, but do not include the delivery infrastructure that allows exploit kits to process large volumes of victims continuously. Technical differences are not large, and the same underlying vulnerability can appear in both contexts. What separates them is how they are used.
Traditional exploit kits are built around desktop browser environments and the plugin attack surface that came with them. That attack surface never existed on mobile, and sandboxing makes opportunistic browser exploitation significantly harder. Mobile threats are real, but they follow a different model, which is more targeted, more expensive, and not what the commodity EK market is built around.
Usually, there are none, at least not at the moment it happens. Exploit kits complete the entire sequence quickly and are not noticeable until the payload starts taking visible actions. Security teams rather look for a pattern across multiple signals, not a single alert, for example, browser activity that leads to process execution outside the browser, short-lived outbound connections immediately after a web session, redirects that pass through domains with no logical connection to each other. Any one of these on its own is easy to miss or dismiss. Together, they tell a different story. For users, the first visible signs are usually tied to whatever was delivered, not the exploit itself. Slowdowns, background activity that wasn't there before, security software triggering on something it found after the fact.
At the exploitation stage, traditional antivirus is largely not the right tool. Exploit kits work by triggering vulnerabilities in the browser and executing code in memory. So, no file gets written to disk, and there is nothing for a signature scanner to find at the moment the attack actually happens. Where antivirus still has a role is further down the chain. Once a payload gets written to disk or starts running, signature-based detection may catch it. But that means the initial compromise already happened. Stopping an exploit kit before it delivers anything requires different controls, like monitoring applications' behavior and what they do with memory, processes that do things they have no reason to do. Patching reduces the attack surface, while behavior-based detection and memory protection address what patching misses.