Angler is one of the most sophisticated EKs used by cybercriminals today and was first observed in 2013. Angler uses malvertising to direct users to its servers, and is known to exploit Adobe Flash Player, Internet Explorer, Microsoft Silverlight, Java, and ActiveX. Angler infects users with ransomware and point-of-sale (PoS) malware. It uses various techniques to defeat traditional detection methods including unique obfuscation, antivirus and virtualization software detection, encrypted payload, and fileless infections. Angler is also very quick at integrating new zero-day exploits in its kit, specifically targeting vulnerabilities in Adobe Flash Player.

According to Palo Alto Networks, as of January 2016, Angler EK has infected more than 90,000 websites, 30 of these are among the 100,000 most visited sites, estimating monthly visits to infected sites may be as high as 11 million. Angler has added many new servers as part of its distribution network, delivering drive-by attacks through infected websites. On 28 July 2015, security researchers warned that a malvertising campaign potentially exposed over 10 million users to the Angler EK.

Angler is the one of the top exploit kits infecting victims with various ransomware variants. In December 2015, Heimdel Security noted Angler was distributing CryptoWall 4.0 ransomware. In March 2016, Angler was dropping the new ransomware variant HydraCrypt. And in April 2016, Angler was discovered pushing Bedep and Dridex malware, and CryptXXX ransomware. CryptXXX was added to Angler functionality within week of the first reporting on the ransomware this year.

In May 2016, Neutrino EK had begun dropping the CryptXXX ransomware, previously only dropped by Angler. This shift became progressively more widespread and June 7 was the last time Angler EK activity was seen. This drop is especially unexpected given the exceptionally high usage of the Angler EK well into the beginning of this year. One reason for the shift is suspected to be a result of the arrest of Russian gang Lurk, known to use Angler to distribute banking Trojans.


  • May 2016: Angler activity drops as Neutrino activity increases. (ProofPoint)
  • April 2016: Angler is pushing Bedep and Dridex malware, and CryptXXX ransomware. (ProofPoint)
  • March 2016: Angler began distributing HydraCrypt ransomware. (McAfee)
  • December 2015: Angler began distributing CryptoWall 4.0. (Heimdel Security)

Technical Details

  • Heimdel Security provides technical analyses and IOCs, available here.

One example of the Angler EK back-end infrastructure. Image Source: Tripwire