Terror was first detected in early December 2016 by researchers at Trustwave and Malwarebytes. It is poorly assembled, hosting its landing pages and exploits on the same server. This exploit kit (EK) delivers all exploit packages to all users that visit the landing pages, a technique known as “carpet bombing,” instead of using filters to only target vulnerable users. As of December 2016, it exploited vulnerabilities in Internet Explorer, Adobe Flash, and Firefox, but the EK was pulled off the web shortly after posting. The developer created a new version of Terror EK, copying several exploits from the Sundown EK and failing to obfuscate the payloads, revealing that it now exploits vulnerabilities in Internet Explorer and Adobe Flash. This malware’s final payload is a miner for the Monero cryptocurrency. The developer hosted the configurations for the cryptocurrency mining campaign on Pastebin and GitHub, where researchers can easily take them down.


  • January 2017: New variant of Terror EK, mistaken for Sundown EK, now a miner for the Monero cryptocurrency. (Malwarebytes)

Technical Details

  • Trustwave provides technical details on the Terror EK, here.