Terror exploit kit, also known as Neptune EK, was first detected in early December 2016 by researchers at Trustwave and Malwarebytes. It is poorly assembled, hosting its landing pages and exploits on the same server. This EK delivers all exploit packages to all users that visit the landing pages, a technique known as “carpet bombing,” instead of using filters to only target vulnerable users. As of December 2016, it exploited vulnerabilities in Internet Explorer, Adobe Flash, and Firefox, but the EK was pulled off the web shortly after posting. The developer created a new version of Terror EK, copying several exploits from the Sundown EK and failing to obfuscate the payloads, revealing that it now exploits vulnerabilities in Internet Explorer and Adobe Flash. This malware’s final payload is a miner for the Monero cryptocurrency. The developer hosted the configurations for the cryptocurrency mining campaign on Pastebin and GitHub, where researchers can easily take them down.


  • January 2017: New variant of Terror EK, mistaken for Sundown EK, now a miner for the Monero cryptocurrency. (Malwarebytes)
  • March 2017: Cybercriminals are compromising websites and using the Terror EK to exploit a Silverlight vulnerability to infect users’ machines and download additional malware. (Malware Traffic Analysis)
  • April 2017: Redirects to the EK landing page either via the server 302 redirect call or script injection and distributes the Andromeda malware. This campaign exploits Flash and Internet Explorer vulnerabilities. (SecurityWeek)
  • May 2017: The EK has improved and now evaluates the victim's machine and chooses exploits based on the victim's installed software and patch level, and employs new anti-detection features. (Cisco Talos)
  • August 2017: Hiking club-themed malvertisements use the Neptune/Terror EK to distribute Monero cryptocurrency miners. (FireEye)

Technical Details

  • Trustwave provides technical details on the Terror EK, here.