Kaspersky Lab has confirmed that the Lurk cybercrime gang, whose members were arrested by Russian police this summer, developed and rented the notorious Angler exploit kit, which disappeared from the scene shortly after the arrests.
Russian law enforcement announced in early June the arrests of 50 individuals suspected of using the Lurk Trojan to conduct bank fraud. Authorities believe the cybercriminals have stolen tens of millions of dollars from Russian financial institutions.
Police in Russia identified the individuals behind the Lurk malware with the help of experts from Kaspersky Lab, who have now confirmed that the group was also responsible for developing, maintaining and renting the Angler exploit kit, which they called “XXX.”
It had been known that cybercriminals distributed Lurk via Angler, but researchers only started suspecting that there was a connection between the two shortly after the arrests, when gangs that had been exclusively relying on Angler to deliver their malware had turned to other exploit kits.
The French researcher “Kafeine” speculated that there could be a connection between the two and that some actors might be stepping back following the arrests. Cisco Talos researchers also uncovered a link between Lurk and Angler based on an account used to register domains leveraged by both threats.
In a blog post published on Tuesday, Kaspersky’s Ruslan Stoyanov provided details on the hunt for the Lurk gang and confirmed that the group was behind Angler. According to the security firm, the cybercriminals created Angler after banks improved their security systems and they were forced to diversify and expand their business.
Angler was initially used exclusively by the group, but they started renting it to others after their fraud activities became less profitable.
“Judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status,” Stoyanov explained. “So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a ‘product’ from the top underground authority did not need advertising.”
The development of Lurk started in 2011 and it soon turned into an operation resembling a small software company. Kaspersky initially determined that a group of roughly 15 people were behind the malware, but the number increased to 40 by the time their activities were shut down by law enforcement.
Experts believe Lurk managers had to pay tens of thousands of dollars every month to maintain their vast network infrastructure, in addition to the money they had to pay their “employees.”
The Lurk gang was highly organized and initially they did not leave any clues that might allow investigators to uncover their real identities. However, they did make some mistakes over the years, which led to their identification and capture.
Related: Lurk Banking Trojan Delivered via Ammyy Website
Related: Blackhole Exploit Kit Author Sentenced to Prison

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- Cisco to Acquire Splunk for $28 Billion
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems
Latest News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
