Connect with us

Hi, what are you looking for?



Kaspersky Confirms Lurk Gang Developed Angler Exploit Kit

Kaspersky Lab has confirmed that the Lurk cybercrime gang, whose members were arrested by Russian police this summer, developed and rented the notorious Angler exploit kit, which disappeared from the scene shortly after the arrests.

Kaspersky Lab has confirmed that the Lurk cybercrime gang, whose members were arrested by Russian police this summer, developed and rented the notorious Angler exploit kit, which disappeared from the scene shortly after the arrests.

Russian law enforcement announced in early June the arrests of 50 individuals suspected of using the Lurk Trojan to conduct bank fraud. Authorities believe the cybercriminals have stolen tens of millions of dollars from Russian financial institutions.

Police in Russia identified the individuals behind the Lurk malware with the help of experts from Kaspersky Lab, who have now confirmed that the group was also responsible for developing, maintaining and renting the Angler exploit kit, which they called “XXX.”

It had been known that cybercriminals distributed Lurk via Angler, but researchers only started suspecting that there was a connection between the two shortly after the arrests, when gangs that had been exclusively relying on Angler to deliver their malware had turned to other exploit kits.

The French researcher “Kafeine” speculated that there could be a connection between the two and that some actors might be stepping back following the arrests. Cisco Talos researchers also uncovered a link between Lurk and Angler based on an account used to register domains leveraged by both threats.

In a blog post published on Tuesday, Kaspersky’s Ruslan Stoyanov provided details on the hunt for the Lurk gang and confirmed that the group was behind Angler. According to the security firm, the cybercriminals created Angler after banks improved their security systems and they were forced to diversify and expand their business.

Angler was initially used exclusively by the group, but they started renting it to others after their fraud activities became less profitable.

Advertisement. Scroll to continue reading.

“Judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status,” Stoyanov explained. “So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a ‘product’ from the top underground authority did not need advertising.”

The development of Lurk started in 2011 and it soon turned into an operation resembling a small software company. Kaspersky initially determined that a group of roughly 15 people were behind the malware, but the number increased to 40 by the time their activities were shut down by law enforcement.

Experts believe Lurk managers had to pay tens of thousands of dollars every month to maintain their vast network infrastructure, in addition to the money they had to pay their “employees.”

The Lurk gang was highly organized and initially they did not leave any clues that might allow investigators to uncover their real identities. However, they did make some mistakes over the years, which led to their identification and capture.

Related: Lurk Banking Trojan Delivered via Ammyy Website

Related: Blackhole Exploit Kit Author Sentenced to Prison

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...