Disclaimer : I won't study this one in details. The global logic should not be far from The Styxy Cool or Styx itself. Once again just a "connecting some dots" post.
Since many months what i was mentally naming "Weird Styx" that was really similar to Kein/Styx Kein puzzled me.
 |
| 2013-01-22 - "a Weird Styx" |
This was as Styxy as an exploit kit can be...but not as randomized as Styx was.
Exploits were rotating really slowly as in Kein.
I would not be surprised if the coder of the exploits/scheme of Styx, Styxy Cool, Kein and Null Hole is the same.
 |
| Null Hole - Login Page |
 |
| Null Hole - 1 API Call (Used for instance by TDS to get the actual landing) |
 |
| Null Hole - Raw Stats on one Thread |
 |
| Null Hole - Partner management |
 |
| Null Hole. A bunch of Sploits. |
 |
Null Hole - Manage Clone (vhosts/proxies) |
It was pushed in Both Nuclear Pack and Null Hole.
This is the Null Hole thread :
 |
| Null Hole 2014-09-29 |
The number of Victims of that thread : 770.
{"objects":[{"blocked":9963,"loads":770,"raw":47506,"stream_id":"9","unique":20584,"withdrawn":0}]}
This Exploit Kit seems to be blinking. Used few weeks...disappear a month or two.
Here is a fresh pass (Thanks to : @robemtnez )
 |
| Null Hole - 2014-11-17 Here: Firing CVE-2014-0515 - 2014-0569 (Thx TimoHirvonen) CVE-2013-2551 |
2014/11/17 20:18:09;camping.ycw94.com;80;198.50.27.162
Files :
You'll find a Pcap from Brad here.