Browser exploit kits: the rise and fall of Angler, Nuclear, and RIG

For about five years, the most efficient way to infect a Windows machine was to do nothing to it. You did not phish the user, you did not get them to run an attachment, you did not even need them to click. They loaded a web page, sometimes a perfectly ordinary one carrying a poisoned ad, and a piece of JavaScript quietly read off their browser, their plugins, and their patch level. If something on that list was vulnerable, a matching exploit fired, a payload landed on disk, and the page moved on. The whole transaction took under a second and left almost nothing for the user to notice. This was the exploit kit, and at its peak one operator behind one kit was reaching up to 90,000 victims a day.

Then it almost entirely stopped. Between 2015 and 2017 the kits that had defined web-borne malware went dark one after another, and the category never recovered. This post traces why. It covers the fingerprint-then-exploit flow that every kit shared, the rental economy that turned exploitation into a subscription product, the four names that mattered most (Angler, Nuclear, RIG, and Magnitude), the 2016 Russian arrests that killed Angler overnight, the coordinated takedown that gutted RIG’s infrastructure in 2017, and the slow-motion collapse that followed once Flash was scheduled for death. The through-line is a single dependency: the kits ran on a plugin that was on its way out, and when it left, so did they.

What an exploit kit actually was

An exploit kit was server-side software. That framing matters, because the malware everyone remembers, the ransomware or the banking trojan, was not the kit. The kit was the delivery machine that decided whether to fire at all and which exploit to use. The clearest academic description of this comes from PExy, a 2014 DIMVA paper out of the University of Salerno and UC Santa Barbara that statically analyzed the source code of more than 50 kits across 37 families. Their summary is worth keeping in mind: a kit is “decision-making code that facilitates fingerprinting, determines which of the kit’s available exploits are applicable to the victim, and launches the proper exploit.” New exploits could be slotted in through a standard interface. No exploitation skill was needed to operate one.

The flow had a fixed shape. A victim reached the kit through some traffic source, usually a compromised site or a malicious ad. Before they ever touched the exploit server, they passed through one or more intermediate redirects called gates, which did coarse filtering. The page they finally landed on, the landing page, ran the fingerprinting JavaScript. That fingerprint told the back end which exploit to serve. If one hit, the kit dropped the payload the customer had uploaded. If nothing matched, the visitor was waved through to a decoy and never knew anything had happened.

That two-stage structure was an engineering decision, not an accident. Serving an exploit is the moment a kit exposes its most valuable asset to anyone watching, including the automated analysis systems known as honeyclients that security vendors run to harvest and blacklist exploits. The kit authors knew it. The cheaper a visitor could be rejected, the less the operation leaked. So gates and landing pages spent most of their effort deciding whom not to attack.

How the fingerprint worked

The fingerprinting itself ran on a spectrum from lazy to careful. PExy describes two modes. In the simple case, the kit did not care about exact plugin versions and just read the User-Agent string the browser sent, or a query-string parameter the attacker had set when constructing the redirect, and picked an exploit from that alone. In the careful case, the kit sent down JavaScript that actively probed the browser, enumerated installed plugins and their versions, then reported the findings back to the server, usually as a plain HTTP request with the detected details packed into the URL. The clever part is that the second mode collapsed into the first: once the browser had told the server its plugin versions, the server was back to a simple lookup keyed on parameters.

For the active probing, kits did not write plugin detection from scratch. They lifted PluginDetect, a legitimate open-source JavaScript library by Eric Gerds built to let normal websites check for Flash, Java, Silverlight, Adobe Reader, and the rest. The library returned version numbers. The kit compared those numbers against its table of exploits and chose. A real-world fingerprint payload would gather something close to the following.

1
// illustrative — the shape, not any real kit's code
2
probe = {
3
  ua:        navigator.userAgent,
4
  flash:     PluginDetect.getVersion("Flash"),      // e.g. "18,0,0,209"
5
  java:      PluginDetect.getVersion("Java"),
6
  silver:    PluginDetect.getVersion("Silverlight"),
7
  reader:    PluginDetect.getVersion("AdobeReader"),
8
  ie_vuln:   detectIEVersion()                       // for IE/VBScript bugs
9
}
10
// the kit maps (plugin, version) -> applicable CVE, then serves that one exploit

The check did more than match a vulnerable version. It also screened out anything that looked like analysis. If the visitor’s IP belonged to a security vendor, a hosting range, or a known crawler, or if the User-Agent looked like a research sandbox, the kit served the decoy instead. Some kits checked for the presence of antivirus artifacts or virtual-machine tells and bailed if they found them. This is the same instinct that drives modern sandbox-evasion fingerprinting, and the same instinct, with the polarity flipped, that anti-bot vendors now use to fingerprint the JavaScript runtime of automated clients. The exploit kit was running a bot check, except it wanted the humans and rejected the bots.

The exploits themselves leaned overwhelmingly on Flash, with Internet Explorer and its scripting engines as the backup. Flash was perfect prey. It was everywhere, it was a fast-moving target with a long history of memory-corruption bugs, and it ran inside the browser with enough reach to run code. Angler in particular built a reputation for getting fresh Flash exploits into rotation faster than anyone, sometimes within days of a patch, sometimes ahead of one. CVE-2015-0313, a Flash use-after-free, was an Angler favorite. So was CVE-2016-0189, a memory-corruption bug in IE’s scripting engine that several kits adopted in 2016.

The exploit-kit-as-a-service economy

What turned exploit kits from a technique into an industry was the business model. The author of a kit did not use it to infect anyone. They rented it. A customer paid a subscription, got a control panel, uploaded whatever payload they wanted distributed, pointed traffic at it, and watched infection counts climb on a dashboard. The kit author maintained the exploits and the back-end infrastructure. The customer supplied the malware and the traffic. This is malware-as-a-service in its purest form, and it predates the ransomware-as-a-service affiliate model that later borrowed the same shape.

The economics were real money. Check Point’s 2016 analysis of Nuclear found a single operation running around 15 active control panels and pulling in roughly $100,000 a month, with customers paying a few thousand dollars monthly for access. Nuclear’s master server handed down the Flash, JavaScript, and VBScript exploits; the customer panels just managed campaigns and payloads. The structure separated the people who could write exploits from the far larger pool of people who merely wanted to spread malware, and that division of labor is what let the kits scale.

By 2014 the market had consolidated around a handful of names. PExy’s authors noted the shift toward a “highly customizable design” and the rise of exploit-as-a-service as a defining property of the modern kit. Of the kits seen in 2013, only a minority carried into 2014, and four newer entrants (Angler, Flashpack, Magnitude, and RIG) took the majority of market share. The reseller layer mattered too: a kit author often did not sell directly to end customers but through intermediaries, which added distance between the people writing exploits and the people getting arrested.

This is also where the traffic side became its own specialty. Renters needed visitors, and buying them meant plugging into the malvertising supply chain and the traffic-distribution systems that routed and filtered web traffic at scale. A TDS sat in front of the kit, sold by yet another vendor, and decided which visitors were worth sending to the exploit server at all. By the time a victim hit the landing page, three or four separate businesses had each taken a cut.

The gate: filtering before the exploit

The gate deserves its own look because it is where a lot of the operational cleverness lived. A gate is an intermediate hop between the traffic source and the landing page whose job is to filter and obscure. It hides the final landing-page URL behind a chain of redirects, and it does cheap rejection so the exploit server never wastes itself on the wrong target.

Magnitude ran one of the better-documented examples. Its gate, nicknamed Magnigate by Proofpoint, sat between a malvertising redirect and the Magnitude landing page and did layered checks: IP geolocation, ISP identification, operating system and browser parsing from the User-Agent. A visitor who failed the geo or ISP check got a decoy page. A visitor who passed continued to the exploit. In March 2016 the gate gained more aggressive client-side fingerprinting, pulling the local IP address through a WebRTC RTCPeerConnection call, using a canvas read to identify the victim’s video drivers, and checking for Kaspersky’s product so it could avoid machines running it. Those results rode along as URL parameters into the next hop.

The geographic targeting was deliberate. Magnitude’s later campaigns focused heavily on South Korea, delivering Cerber ransomware and, later, its own Magniber ransomware built specifically for Korean victims. A kit that only fired in one country was harder for a global vendor to catch in the wild and easier to monetize against a population the operators understood.

Two of these gate tricks are worth flagging because they outlived the exploit-kit era. The WebRTC local-IP leak became a staple of browser fingerprinting generally. The canvas read used to identify video drivers is the same primitive behind canvas fingerprinting as a device-identification signal. The kits were doing applied fingerprinting research years before the anti-bot industry productized the same calls for the opposite purpose.

Angler: the apex and the fall

Angler was the kit that defined the peak. It moved fastest on exploits, it pioneered evasion techniques the others copied, and at its height it accounted for the majority of exploit-kit traffic on the web. It was also the one whose end is best documented, because its end was abrupt.

Two of Angler’s techniques stand out. The first is domain shadowing. Rather than register fresh malicious domains, which get blacklisted quickly, Angler’s operators stole the credentials of legitimate domain owners and silently created subdomains under those owners’ accounts. The real domain kept working; the owner had no idea that dozens of hostile subdomains now hung beneath it, each pointing at an exploit server, each rotated through fast. Cisco reported the technique sprawling across thousands of these shadow subdomains. It defeated domain-reputation blocking because the parent domains were genuinely reputable. The technique connects directly to fast-flux thinking and to the broader problem of malware finding its infrastructure without a fixed, blockable address, which is the same pressure that produced domain generation algorithms.

The second was simply speed and quality of exploitation. Angler’s operators reliably integrated new Flash bugs ahead of the pack, and they layered on obfuscation in the landing page to slow analysis.

Then came the scale numbers, and they are the part people remember. In its 2015 Angler investigation, Cisco Talos pulled apart the proxy-and-server architecture behind the kit and attached figures to it. A single threat actor was responsible for roughly half of all Angler activity Talos observed. That one actor was reaching up to 90,000 victims a day. Talos estimated the actor’s ransomware operation alone generated more than $30 million a year, and that applying the full scope of Angler activity put the figure north of $60 million annually. The architecture was a single exploit server fronted by a rotating fleet of proxy servers, with a “health” server monitoring them; Talos saw one health server watching 147 proxies over a month. Much of the proxy capacity sat on a single hosting provider, Limestone Networks.

What killed Angler was not a patch or a defender. It was a Russian police operation aimed at something else. In June 2016, Russian authorities arrested a group tied to the Lurk banking trojan, which had stolen, by Kaspersky’s accounting, more than $45 million from Russian companies and banks over roughly five years. Within about a week of the arrests, Angler vanished. Kaspersky’s investigation tied the two together: the Lurk gang had built Angler as their own internal delivery tool, and in 2013 opened it up for rent to outside customers, partly because their banking-theft revenue was drying up under improving defenses. Cisco’s data agreed from the infrastructure side, finding that the bulk of Lurk’s command-and-control domains traced to a registrant account that also touched Angler’s back end. When the people went to jail, the kit had no one to run it. There was no graceful wind-down. It simply stopped.

The scramble: Neutrino, RIG, and the 2017 takedown

Angler’s disappearance left a vacuum, and the market reshuffled fast. The payloads Angler had been dropping, including CryptXXX ransomware, shifted almost overnight to Neutrino, which became the dominant kit through the summer of 2016 after both Angler and Nuclear left the stage. Nuclear had gone quiet earlier in the year, its infrastructure mapped and exposed in Check Point’s analysis. So for a few months Neutrino was the undisputed leader, and then its operators made an odd move: they pulled it into “private mode,” restricting access to a small set of vetted customers and stepping back from the open market. By late 2016 Neutrino had effectively gone dark.

That left RIG as the last big kit standing. Through late 2016 and into 2017 RIG carried most of the malvertising and compromised-site campaigns, distributing ransomware and other payloads through the same fingerprint-and-fire flow. RIG also leaned on domain shadowing, and that turned out to be its weak point.

In early 2017 a coordinated effort called Operation Shadowfall, led by RSA Research with the registrar GoDaddy, independent researcher Brad Duncan, Malwarebytes, and others, went after RIG’s shadow-domain infrastructure directly. Because domain shadowing relied on stolen registrant credentials, often GoDaddy accounts phished from legitimate domain owners, the registrar was in a position to act. RSA reported the RIG crew had taken over around 800 real domains and spun up roughly 30,000 shadow subdomains beneath them. On May 16, 2017, the group moved and removed tens of thousands of those active shadow domains in one action, hitting RIG’s “Seamless” and “Decimal IP” campaigns hard. RIG’s activity dropped sharply through 2017; by some measures it fell to under a quarter of its earlier volume within a few months. The takedown did not end RIG outright, but it broke its momentum, and the kit never returned to dominance.

Why the category collapsed: Flash’s long death

The arrests and takedowns explain individual kills. They do not explain why nothing replaced the kits. New criminal markets usually route around enforcement; this one did not. The reason is structural, and it comes down to the plugin the whole category was built on.

Exploit kits ran on Flash. Internet Explorer’s scripting engine was the secondary target, but Flash was the workhorse: ubiquitous, cross-browser, riddled with memory-corruption bugs, and reliably exploitable. The entire economics depended on a large population of machines running a vulnerable, internet-facing plugin that could be reached silently from a web page. That population was disappearing.

In July 2017, Adobe announced it would end Flash support on December 31, 2020, with Apple, Facebook, Google, Microsoft, and Mozilla coordinating to disable it in their browsers before then. The announcement came roughly a year after the Angler collapse, and it confirmed what the browser vendors had already been doing. Chrome had been moving Flash from default-on to click-to-play. Browsers were sandboxing plugins harder and auto-updating themselves on fast cycles, which closed the patch window Angler had exploited so well. The reliable, silent, version-specific exploitation that kits depended on was being engineered out of the web.

You can watch the dependency snap in the RIG telemetry. During the Shadowfall fallout, for a five-day stretch from June 1 to June 5, 2017, RIG dropped all of its Flash exploits, and by some accounts no Flash exploits were seen from RIG after May 31, 2017. Strip Flash from a Flash-dependent kit and what remains is a few aging Internet Explorer bugs against a shrinking population of unpatched IE users. That was not a business. Adobe blocked Flash content from running entirely starting January 12, 2021, and the last technical reason for the category to exist went with it.

Where exploit kits went, and what stayed

A handful of kits limped on into the late 2010s and beyond, mostly serving narrow regional campaigns. Magnitude kept running against South Korea with its Magniber ransomware. Underminer operated privately against Asian targets with browser profiling, payload encryption, and anti-revisit logic. Purple Fox shifted toward fileless techniques. These are real, but they are a footnote next to the 90,000-victims-a-day machine Angler had been. The mass-market, rent-a-panel, infect-the-whole-web kit is gone, and it has not come back.

The reason it has not come back is the same reason it died, and it is worth stating plainly. Exploit kits were a bet on a single, widely-deployed, silently-reachable, exploitable plugin. That bet paid out enormously for about five years. When the plugin died and browsers started patching themselves on a weekly cadence, the bet had no payout left. Attackers did what attackers do and moved to the cheaper target: the user. Phishing, malicious documents with macros, fake software installers, and now browser-based card skimming through Magecart all ask a human to make a mistake, because asking a human to make a mistake turned out to be more reliable than finding an unpatched plugin. The drive-by download did not get defeated by a better defense so much as it lost its substrate.

What the kits left behind is a set of techniques that quietly switched sides. The fingerprint-then-decide logic, the WebRTC local-IP probe, the canvas read for hardware identification, the User-Agent and IP filtering to keep researchers out, all of it reads like a modern anti-bot stack. The exploit kit fingerprinted a browser to choose an attack. Today’s bot-detection systems fingerprint a browser to choose a verdict. Same probes, same evasion instincts, opposite goal. The most lasting thing the exploit-kit era produced was not any single exploit. It was the playbook for reading a browser before deciding what to do with it.

Sources & further reading

• De Maio, Kapravelos, Shoshitaishvili, Kruegel, Vigna (2014), PExy: The Other Side of Exploit Kits — DIMVA paper that statically analyzed 50+ kits across 37 families and documented the server-side fingerprint-and-select logic.
• Cisco Talos (2015), Threat Spotlight: Cisco Talos Thwarts Access to Massive International Exploit Kit — the Angler infrastructure teardown with the $30M/$60M revenue, 90,000-victims-a-day, and proxy-server figures.
• Cisco Talos (2015), Threat Spotlight: Angler Lurking in the Domain Shadows — Angler’s domain-shadowing technique and the scale of the shadow-subdomain sprawl.
• Kaspersky (2016), Angler by Lurk: Why the Infamous Cybercriminal Group Was Renting Out Its Most Powerful Tool — ties the Lurk arrests to Angler’s development, with the $45M theft figure and the 2013 rental decision.
• Check Point Research (2016), Inside Nuclear’s Core: Analyzing the Nuclear Exploit Kit Infrastructure — the Nuclear control-panel economics and the ~$100K/month operation.
• Malwarebytes Labs (2017), Enemy at the Gates: Reviewing the Magnitude Exploit Kit Redirection Chain — the Magnigate gate, its WebRTC/canvas fingerprinting, and the South Korea / Cerber targeting.
• BleepingComputer (2017), RIG Exploit Kit Suffers Major Blow Following Coordinated Takedown Action — Operation Shadowfall, the ~800 hijacked domains and ~30,000 shadow subdomains, and the May 16 action.
• BleepingComputer (2017), RIG Exploit Kit Usage Declines as Browsers Are Getting Harder to Hack — RIG’s drop to under a quarter of its earlier volume and the disappearance of Flash exploits from its arsenal.
• BleepingComputer (2016), Former Major Player Neutrino Exploit Kit Has Gone Dark — Neutrino’s rise after Angler and its retreat into private mode.
• Adobe (2017), Adobe Flash Player End of Life — the official end-of-support announcement (December 31, 2020) and the coordinated browser-vendor deprecation.
• Gerds, PluginDetect — the legitimate plugin-version-detection library that exploit kits repurposed for victim fingerprinting.