Terror was first detected in early December 2016 by researchers at Trustwave and Malwarebytes. It is poorly assembled, hosting its landing pages and exploits on the same server. This exploit kit (EK) delivers all exploit packages to all users that visit the landing pages, a technique known as “carpet bombing,” instead of using filters to only target vulnerable users.


Neutrino was discovered in 2012 and remains active, exploiting vulnerabilities in all Java versions at least up to Java 7 Update 11. Neutrino downloads a ransomware variant on the victim’s machine when it successfully finds a vulnerable target. It features a user-friendly control panel, continuously monitors the status of present antivirus software, filters network traffic, and encrypts stolen information before sending it back to the server.


Fiesta was first released in 2008 and gained popularity with the decline of Blackhole EK. Fiesta was developed to deliver crypto-ransomware and fake antivirus malware payloads to its victims and exploits vulnerabilities in Flash, Internet Explorer, Adobe Acrobat Reader, and Microsoft Silverlight, and has the capability of terminating running processes and disabling common system tools to make detection and removal more difficult. Two-thirds of Fiesta-related traffic occurred in three countries: United States, Japan, and Australia.


Magnitude made itself known in October of 2013 when it breached the servers of PHP.net, a popular scripting language development website, and redirected the site’s visitors to its landing page using a compromised JavaScript file. It then exploited vulnerabilities in Java and Flash to deliver malicious payloads like Zeus, Andromeda, Necurs, Zusy, and Ngrbot. Magnitude was later used in an attack against Yahoo and WordPress website users.

Sweet Orange

Sweet Orange emerged in 2012 to fill the void left behind by the Blackhole EK after its author was arrested and it quickly rose in popularity among cybercriminals. Sweet Orange contains many of the same features as other variants, including a database that records a list of successful infections, statistics about various current exploits, and regular malware updating.