Neutrino is identified in the provided content primarily as an exploit kit, and separately as a malware family also known as Kasidet and MWZLesson that has used Namecoin .bit domains as part of its command-and-control infrastructure. As an exploit kit, Neutrino is listed alongside Angler and Nuclear as a common exploit kit and was previously used by the AdGholas malvertising operation before that campaign shifted to the Stegano/Astrum exploit kit. The content also states that Locky ransomware was observed being distributed via the Neutrino exploit kit, including in a thread that usually spread Necurs. Separately, the content references a popular Neutrino banking Trojan variant reported in August 2017 that included a Monero miner module and was focused on downloading and executing modules rather than stealing bank card data. Additional mention contexts describe Neutrino as a DDoS bot and credential stealer in Spamhaus rankings. High-confidence aliases directly provided in the content for the malware family are Kasidet and MWZLesson. The content does not provide a single unified technical profile tying all of these references together, so the available information indicates that the name Neutrino has been used in the source material for both an exploit kit and a malware family associated with credential theft, DDoS functionality, banking-trojan activity, modular download-and-execute behavior, Monero mining, and Namecoin-based C2.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
...six zero-day vulnerabilities (... CVE-2015-5119, CVE-2015-5122 and CVE-2015-5123 for Adobe Flash; ...) ... being released into the wild.
...six zero-day vulnerabilities (... CVE-2015-5122 ... for Adobe Flash; ...) being released into the wild.
...six zero-day vulnerabilities (... CVE-2015-5123 for Adobe Flash; ...) being released into the wild.
...six zero-day vulnerabilities (... CVE-2015-2425 for Internet Explorer) ... being released into the wild.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Initially, the gang behind AdGholas had been using the Angler and Neutrino exploit kits.
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Les exploits et les kits d'exploitation s'appuient généralement sur des sites Web malveillants ou des pièces jointes de courrier électronique pour pénétrer un réseau ou un appareil, mais ils se cachent parfois également dans des publicités sur des sites Web légitimes.
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Exploit kit used to automate discovery and exploitation of known software vulnerabilities for malware delivery.
A malware family associated with botnet controllers, described as both a DDoS bot and credential stealer.
Malware associated with botnet controllers; described as both a DDoS bot and credential stealer.
An exploit kit previously used by the AdGholas campaign; the article also notes Stegano's Flash stage was similar to Neutrino in carrying multiple exploits based on Flash version.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.