Security Experts:

Connect with us

Hi, what are you looking for?



Actively Developed Capesand Exploit Kit Emerges in Attacks

A newly discovered exploit kit (EK) is being employed in live attacks despite the fact that it’s still in an unfinished state, Trend Micro’s security researchers reveal.

A newly discovered exploit kit (EK) is being employed in live attacks despite the fact that it’s still in an unfinished state, Trend Micro’s security researchers reveal.

Dubbed Capesand, the toolkit was discovered in October 2019, when a malvertising campaign employing the RIG EK to drop DarkRAT and njRAT switched to using it for delivery instead.

The new threat attempts to exploit recent vulnerabilities in Adobe Flash and Microsoft Internet Explorer (IE), but also targets a 2015 vulnerability in the browser.

Capesand’s authors, the security researchers say, appear to be reusing source code from a publicly shared exploit kit code. In fact, almost all of the toolkit’s functions — this includes exploits, obfuscation, and packing techniques — reuse open-source code.

The malicious advertisements were delivered from the ad network straight to the victim’s browser, posing as a blog discussing blockchain. The page had been copied using the HTTrack website copying tool and contains a hidden iframe to load the exploit kit.

Analysis of the Capesand panel has revealed that it allows threat actors to check the status of exploit kit usage and download frontend source code to deploy on their servers. Code similarities suggest the new threat is derived from the old Demon Hunter EK.

Some of the targeted vulnerabilities include CVE-2018-4878 (Adobe Flash), along with CVE-2018-8174 and CVE-2019-0752 (Internet Explorer).

The exploits are not included in the frontend EK source code package. Instead, each time Capesand wants to deliver an exploit, it sends a request to a server API to receive it.

The API request includes the requested exploit name, exploit URL, and the victim’s IP address, browser user-agent, and HTTP referrer. The information is AES encrypted with a pre-generated API key inside a configuration file.

The server verifies if a valid API key was used for encryption, collects victim information, and also retrieves data on the usage of the exploit kit.

The security researchers also discovered a version of Capesand that uses an exploit for the IE vulnerability tracked as CVE-2015-2419, and identified on the developers’ server exploits for CVE-2018-4878 and CVE-2018-15982 (Adobe Flash) and an exploit for CVE-2018-8174 (IE), but not the exploit for CVE-2019-0752, which is indicated in the source code.

“This leads us to believe that the kit is still under development and has yet to fully integrate the exploits the cybercriminals planned to use,” Trend Micro notes.

The EK’s developers, the security researchers point out, ensured that the deployed samples had very low detection rates. The code also checks for antimalware products installed on the victim systems.

The miscreants also focus on distributing malicious landing pages via mirrored versions of legitimate websites and use domain names similar to the originals to further avoid raising suspicion.

“In addition, its exploits are delivered as a service accessible through a remote API — an efficient method to keep the exploits private and reusable across different deployment mechanisms,” Trend Micro concludes.

Related: New ‘Lord’ Exploit Kit Emerges

Related: Exploit for Recent Flash Zero-Day Added to Fallout Exploit Kit

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.