Afraidgate: Major Exploit Kit Campaign Switches from CryptXXX Ransomware Back to Locky

By mid-July 2016, the Afraidgate campaign stopped distributing CryptXXX ransomware. It is now distributing the “.zepto” variant of Locky. Afraidgate has been using Neutrino exploit kit (EK) to distribute malware after Angler EK disappeared in early June 2016. As we previously reported, this campaign continues to utilize gate domains using name servers from afraid.org.

Understanding Angler Exploit Kit – Part 2: Examining Angler EK

This is the second part of a two-part blog post for understanding Angler exploit kit (EK). The first part covered EKs in general. This blog focuses on the Angler EK. Angler is currently one of the most advanced, effective, and popular exploit kits in the cyber criminal market. It generally uses the most recent exploits

Afraidgate: Major Exploit Kit Campaign Swaps Locky Ransomware for CryptXXX

In mid-April 2016, a campaign using Nuclear Exploit Kit (EK) to distribute Locky ransomware switched to using the Angler EK to install CryptXXX ransomware. This campaign uses gates registered through FreeDNS at afraid.org. We are calling this the Afraidgate campaign. Although we continue to see Locky distributed through malicious spam, we have not noticed Locky

Get updates on Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit 42

Follow us on