Blackhole is an exploit kit that was widely used in the early 2010s to industrialize browser-based exploitation as a subscription-style crimeware service. The provided content associates it with Dmitry "Paunch" Fedotov, noting that he used the Blackhole exploit kit to spread multiple forms of malware internationally and that Blackhole was available alongside other criminal services such as the Psyche/Cutwail spambot. The content describes Blackhole as actively targeting known, already-patched client-side vulnerabilities rather than relying on zero-days, including a remote code execution flaw in Oracle Java shortly after Oracle had patched it. It is referenced as part of the exploit-kit era alongside Phoenix, Nuclear, and later Angler, and as an example of how vulnerability exploitation became packaged, updated, rented, and sold with tiered pricing. The content also notes that Blackhole was successfully targeting outdated browsers and plugins, especially Java, and that exploit kits like Blackhole contributed to large-scale compromise risk from unpatched browser components. One mention states that Blackhole and Metasploit Browser AutoPwn were detected and blocked by Microsoft Forefront during a penetration test, indicating its use as an automated browser exploitation framework. The content further states that the Blackhole exploit kit ecosystem largely collapsed after a takedown in 2013. No high-confidence IOCs beyond the malware name and association with browser/plugin exploitation are provided in the content.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 distinct techniques documented for this family, organized by ATT&CK tactic.
The document repeatedly lists exploit kits alongside client-side CVEs such as CVE-2013-2551, CVE-2013-0634, CVE-2013-0422, CVE-2012-0507, CVE-2011-3544, CVE-2010-0188, and many others affecting Java, Flash, Internet Explorer, Adobe Reader, QuickTime, and Windows Media Player.
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An exploit kit referenced as part of the exploit kit era, rented cheaply and used to scale browser exploitation.
An exploit kit cited as an example of the commercialization of vulnerability exploitation through subscription-style offerings.
An exploit kit cited as an example of commercialization of vulnerability exploitation via subscription-style offerings.
Exploit kit referenced historically in relation to redirect-malware ecosystems.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.