Table of contents
-
What Is a Cyber Attack?
- Threat Overview: Cyber Attacks
- Cyber Attack Types at a Glance
- Global Cyber Attack Trends
- Cyber Attack Taxonomy
- Threat-Actor Landscape
- Attack Lifecycle and Methodologies
- Technical Deep Dives
- Cyber Attack Case Studies
- Tools, Platforms, and Infrastructure
- The Effect of Cyber Attacks
- Detection, Response, and Intelligence
- Emerging Cyber Attack Trends
- Testing and Validation
- Metrics and Continuous Improvement
- Cyber Attack FAQs
-
Dark Web Leak Sites: Key Insights for Security Decision Makers
- Dark Web Leak Sites Explained
- Evolving Extortion Tactics
- The Role of Leak Sites in Ransomware Double Extortion
- Critical Risks Exposed by Data Leak Sites
- Anatomy of a Dark Web Leak Site
- Proactive Defense: How Organizations Can Mitigate Dark Web Leaks
- Dark Web Leak Site FAQs
- What to Do If Your Organization Appears on a Dark Web Leak Site
-
What is Spyware?
- Cybercrime: The Underground Economy
-
What Is Cross-Site Scripting (XSS)?
- XSS Explained
- Evolution in Attack Complexity
- Anatomy of a Cross-Site Scripting Attack
- Integration in the Attack Lifecycle
- Widespread Exposure in the Wild
- Cross-Site Scripting Detection and Indicators
- Prevention and Mitigation
- Response and Recovery Post XSS Attack
- Strategic Cross-Site Scripting Risk Perspective
- Cross-Site Scripting FAQs
- What Is a Dictionary Attack?
- What Is a Credential-Based Attack?
-
What Is a Denial of Service (DoS) Attack?
- How Denial-of-Service Attacks Work
- Denial-of-Service in Adversary Campaigns
- Real-World Denial-of-Service Attacks
- Detection and Indicators of Denial-of-Service Attacks
- Prevention and Mitigation of Denial-of-Service Attacks
- Response and Recovery from Denial-of-Service Attacks
- Operationalizing Denial-of-Service Defense
- DoS Attack FAQs
- What Is Hacktivism?
- What is a Payload-Based Signature?
- What Is a DDoS Attack?
-
What Is CSRF (Cross-Site Request Forgery)?
- CSRF Explained
- How Cross-Site Request Forgery Works
- Where CSRF Fits in the Broader Attack Lifecycle
- CSRF in Real-World Exploits
- Detecting CSRF Through Behavioral and Telemetry Signals
- Defending Against Cross-Site Request Forgery
- Responding to a CSRF Incident
- CSRF as a Strategic Business Risk
- Key Priorities for CSRF Defense and Resilience
- Cross-Site Request Forgery FAQs
-
What is a Botnet?
- How Botnets Work
- Why are Botnets Created?
- What are Botnets Used For?
- Types of Botnets
- Signs Your Device May Be in a Botnet
- How to Protect Against Botnets
- Why Botnets Lead to Long-Term Intrusions
- How To Disable a Botnet
- Tools and Techniques for Botnet Defense
- Real-World Examples of Botnets
- Botnet FAQs
- What Is Spear Phishing?
-
What Is Lateral Movement?
- Why Attackers Use Lateral Movement
- How Do Lateral Movement Attacks Work?
- Stages of a Lateral Movement Attack
- Techniques Used in Lateral Movement
- Detection Strategies for Lateral Movement
- Tools to Prevent Lateral Movement
- Best Practices for Defense
- Recent Trends in Lateral Movement Attacks
- Industry-Specific Challenges
- Compliance and Regulatory Requirements
- Financial Impact and ROI Considerations
- Common Mistakes to Avoid
- Lateral Movement FAQs
-
What Is Brute Force?
- How Brute Force Functions as a Threat
- How Brute Force Works in Practice
- Brute Force in Multistage Attack Campaigns
- Real-World Brute Force Campaigns and Outcomes
- Detection Patterns in Brute Force Attacks
- Practical Defense Against Brute Force Attacks
- Response and Recovery After a Brute Force Incident
- Brute Force Attack FAQs
- What is a Command and Control Attack?
- What Is an Advanced Persistent Threat?
- What Is Credential Stuffing?
- What Is Smishing?
-
What is Social Engineering?
- The Role of Human Psychology in Social Engineering
- How Has Social Engineering Evolved?
- How Does Social Engineering Work?
- Phishing vs Social Engineering
- What is BEC (Business Email Compromise)?
- Notable Social Engineering Incidents
- Social Engineering Prevention
- Consequences of Social Engineering
- Social Engineering FAQs
-
What Is a Honeypot?
- Threat Overview: Honeypot
- Honeypot Exploitation and Manipulation Techniques
- Positioning Honeypots in the Adversary Kill Chain
- Honeypots in Practice: Breaches, Deception, and Blowback
- Detecting Honeypot Manipulation and Adversary Tactics
- Safeguards Against Honeypot Abuse and Exposure
- Responding to Honeypot Exploitation or Compromise
- Honeypot FAQs
- What Is Password Spraying?
-
What Is a Zero-Day Attack? Risks, Examples, and Prevention
- Zero-Day Attacks Explained
- Zero-Day Vulnerability vs. Zero-Day Attack vs. CVE
- How Zero-Day Exploits Work
- Common Zero-Day Attack Vectors
- Why Zero-Day Attacks Are So Effective and Their Consequences
- How to Prevent and Mitigate Zero-Day Attacks
- The Role of AI in Zero-Day Defense
- Real-World Examples of Zero-Day Attacks
- Zero-Day Attacks FAQs
- How to Break the Cyber Attack Lifecycle
-
What Is Phishing?
- Phishing Explained
- The Evolution of Phishing
- The Anatomy of a Phishing Attack
- Why Phishing Is Difficult to Detect
- Types of Phishing
- Phishing Adversaries and Motives
- The Psychology of Exploitation
- Lessons from Phishing Incidents
- Building a Modern Security Stack Against Phishing
- Building Organizational Immunity
- Phishing FAQ
- What Is a Rootkit?
- Browser Cryptocurrency Mining
- What Is Pretexting?
- What Is Cryptojacking?
What is an Exploit Kit?
3 min. read
Table of contents
Exploit kits were developed as a way to automatically and silently exploit vulnerabilities on victims’ machines while browsing the web. Due to their highly automated nature, exploit kits have become one of the most popular methods of mass malware or remote access tool (RAT) distribution by criminal groups, lowering the barrier to entry for attackers. Exploit kits are also effective at generating profit for malicious actors. Creators of exploit kits offer these campaigns for rent on underground criminal markets in the form of exploit kits as a service, where the price for leading kits can reach thousands of dollars per month.
Attackers utilize exploit kits with the end goal of establishing control of a device in an automated and simplified manner. Within an exploit kit, a series of events must occur for the infection to be successful. Starting with a landing page, to the execution of an exploit, and to the delivery of a payload, each stage must be successfully completed in order for the attacker to gain control of the host.
Related Video
Why Do Phishing and Other Web-Based Attacks Still Succeed?
Landing Page
Exploit kits start with a website that has been compromised. The compromised page will discreetly divert web traffic to another landing page. Within the landing page is code that will profile the victim’s device for any vulnerable browser-based applications. If the device is fully patched and up-to-date, the exploit kit traffic will cease. If there are any vulnerabilities, the compromised website discreetly diverts network traffic to the exploit.
Exploit
The exploit uses a vulnerable application to secretly run malware on a host. Targeted applications include Adobe® Flash® Player; Java® Runtime Environment; Microsoft® Silverlight®, whose exploit is a file; and the web browser, whose exploit is sent as code within web traffic.
Payload
If and when an exploit is successful, the exploit kit sends a payload to infect the host. The payload can be a file downloader that retrieves other malware or the intended malware itself. With more sophisticated exploit kits, the payload is sent as an encrypted binary over the network, which, once on the victim’s host, is decrypted and executed. While the most common payload is ransomware, there are many others, including botnet malware, information stealers and banking Trojans.
A recent example of this is the utilization of the Neutrino exploit kit to deliver Locky ransomware in the Afraidgate campaign. Pages from the compromised site contain an injected script that redirects visitors to the Afraidgate domain. Once connected to the compromised URL, the server returns more JavaScript with an iframe, leading to a Neutrino exploit kit landing page. If the exploit of the vulnerability with JavaScript is successful, the Locky ransomware payload will be delivered, and the host system will lock out the user and give control to the attacker.
With exploit kits becoming the go-to tool for attackers of varying skill sets and objectives, it is imperative that your systems are able to protect against these attacks. This can be achieved through reducing the attack surface, blocking known malware and exploits, and quickly identifying and stopping new threats. The Palo Alto Networks Next Generation Platform proactively blocks known threats while using static and dynamic analysis techniques to identify unknown threats. Any unknown files, emails and links are analyzed in a scalable sandbox environment to determine if they are malicious or benign. If a file is determined to be malicious, protections are created automatically and delivered across all technologies within the platform for full protection, preventing exploit kits from progressing further throughout their lifecycle.
To learn more about emerging threats, attacker tactics, and expert recommendations to protect your organization, read the 2025 Unit 42 Global Incident Response Report.
