Nebula Exploit Kit

What is Nebula Exploit Kit?

Nebula Exploit Kit is a malicious software package that specialists came across for the first time in February, 2017. Most probably, it is a new variant of another Exploit Kit called Sundown. It is considered “new” because it has new indicators of compromise (IOCs); however, researchers have observed that it exploits some old vulnerabilities that are also exploited by RIG Exploit Kit, Neutrino Exploit Kit, Terror Exploit Kit, and Sundown Exploit Kit: CVE-2014-6332, CVE-2015-0016, CVE-2013-2551, CVE-2013-2551, CVE-2015-8651, CVE-2015-7645, and CVE-2016-4117. Mainly, Nebula Exploit Kit is used to drop the malicious payload on victims’ computers (it might be any malicious application), but it should be noted that not everybody can take advantage of it because it is not a free toolkit. Cyber criminals who want to use it for their malicious deeds need to pay money for it.

Where does Nebula Exploit Kit come from?

You will not find Nebula Exploit Kit on an ordinary website. According to specialists, the chances are high that it is only advertised on Dark Web forums and can be purchased from online shops on the TOR Network. It is presented there as having the following features:

  • Automatic domain scanning and generating
  • API rotator domains
  • Custom domains & server
  • Unlimited flows & files
  • Scan file & domains
  • Multiple payload file types supported (exe, dll, js, vbs)
  • Remote file support
  • Public stats by file & flow

It is not a full list of features it has. Also, it seems that Nebula Exploit Kit can be customized to fit individual cyber criminals’ needs – they just need to contact support.

As mentioned in the first paragraph of this report, Nebula Exploit Kit is not a free toolkit. 24-hour access to this product costs $100, whereas cyber criminals can use it for the entire 7 days if they pay $600. The most expensive is the 31-days subscription – it costs $2000. Cyber criminals purchase Nebula Exploit Kit so that they could identify vulnerabilities in users’ browsers and then use these vulnerabilities to download and execute malicious payloads on their systems.

What does Nebula Exploit Kit do?

The first thing cyber criminals do after paying money for the use of Nebula Exploit Kit is uploading it on specific web servers. Then, they try to direct the traffic to malicious pages by promoting their URLs on legit websites, Internet forums, or spreading them via emails. If the user clicks on the link, Nebula Exploit Kit immediately checks for vulnerabilities in his/her web browser and/or its plugins, e.g. Java, Adobe Flash, and Microsoft Silverlight. The malicious website might also check the user’s geographic location (the IP address reveals it) because a specific malicious payload might be dropped depending on his/her place of residence.

Any malicious application, e.g. ransomware, backdoor, Trojan can be dropped on victims’ with vulnerable browsers computers. It has been observed by specialists who have tested Nebula Exploit Kit that it distributes Pitou, Gootkit, DiamondFox, and Ramnit malware, but, as mentioned previously, different malicious applications might be spread depending on different factors (e.g. geolocation).

How to remove Nebula Exploit Kit

You cannot remove Nebula Exploit Kit because it is not malicious software itself, but you must erase the malicious software it has dropped on your system as soon as possible. The malicious payload is dropped and executed silently on victims’ machines. Also, some malicious applications perform their activities completely in the background, so you might not even know that you have malicious software active on your system. Luckily, you do not need to be an expert to detect malicious software. All you need to do is to use an antimalware scanner. If you suspect that your system might be contaminated, you should download the diagnostic scanner (instructions provided below this article will help you get it) and then use it to perform an in-depth system scan.

Detect malware

  1. Open your browser.
  2. Go to
  3. Save the file and launch the installer.
  4. Install a diagnostic scanner.
  5. Launch it and perform a system scan. 100% FREE spyware scan and
    tested removal of Nebula Exploit Kit*

Leave a Comment

Enter the numbers in the box to the right *