Nuclear dates back to 2009 and remains one of the most widely used EKs. It exploits vulnerabilities in Active X, Flash, Internet Explorer, Java, PDF, and Silverlight, and disseminates malware and ransomware. Nuclear can detect if antivirus software is running and, if found, it terminates the associated process as well as antivirus driver files. Security researchers at Trend Micro estimate the number of daily infected users spiked to 12,500 in May 2015 and the top three countries affected are Japan, the United States, and Australia. In November 2015, Nuclear EK was the first exploit kit found infecting victims with CryptoWall 4.0. In the same month, Nuclear EK was also discovered delivering malware that could subsequently download the Kelihos Trojan onto the victim’s device.

At the end of April 2016, a few weeks after a report disclosing the EK's technical and financial operations, Nuclear EK activity had significantly dropped. The reason for the drop isn't fully understood but some speculate that the developers chose to cease activity after the heightened publicity around the EK.       


  • April 2016: Significant decrease in Nuclear EK activity. (IBM Security Intelligence)
  • November 2015: Nuclear EK distributes the CryptoWall 4.0 ransomware. (The Register)
  • November 2015: Nuclear EK drops the Kelihos Trojan to victims. (SC Magazine)

Technical Details

  • Talos Group provides technical details on the evolution of the Nuclear EK, available here.
One example of the Nuclear EK. Image Source: ForcePoint

One example of the Nuclear EK. Image Source: ForcePoint