TheBlackhole exploit kit was, as of 2012, the most prevalentweb threat, where 29% of all web threats detected bySophos and 91% byAVG are due to thisexploit kit.^[1] Its purpose is to deliver amaliciouspayload to a victim's computer.^[2] According toTrend Micro the majority of infections due to this exploit kit were done in a series of high volumespam runs.^[3] The kit incorporates tracking mechanisms so that people maintaining the kit know considerable information about the victims arriving at the kit'slanding page. The information tracked includes the victim's country,operating system, browser and which piece of software on the victim's computer was exploited. These details are shown in the kit's user interface.^[4]

Blackhole exploit kit was released on "Malwox", an underground Russian hacking forum. It made its first appearance in 2010.^[5]

The supposedly Russian creators use the names "HodLuM" and "Paunch". It was reported on October 7, 2013 that "Paunch" had been arrested.^[6]

Dmitry "Paunch" Fedotov was sentenced to seven years in a Russian penal colony on April 12, 2016.^[7]

1. The customer licenses the Blackhole exploit kit from the authors and specifies various options to customize the kit.
2. A potential victim loads a compromised web page or opens a malicious link in a spammed email.
3. The compromised web page or malicious link in the spammed email sends the user to a Blackhole exploit kit server's landing page.
4. This landing page contains obfuscatedJavaScript that determines what is on the victim's computers and loads all exploits to which this computer is vulnerable and sometimes aJavaapplet tag that loads a Java Trojan horse.
5. If there is an exploit that is usable, the exploit loads and executes a payload on the victim's computer and informs the Blackhole exploit kit server which exploit was used to load the payload.

This sectioncontainsinstructions or advice. Wikipedia is not a guidebook; please helprewrite such content to be encyclopedic or move it toWikiversity,Wikibooks, orWikivoyage.(May 2025)

A typical defensive posture against this and other advanced malware includes, at a minimum, each of the following:

• Ensuring that the browser, browser's plugins, and operating system are up to date. The Blackhole exploit kit targets vulnerabilities in old versions of browsers such asFirefox,Google Chrome,Internet Explorer andSafari as well as many popular plugins such asAdobe Flash,Adobe Acrobat andJava.
• Running a security utility with a good antivirusand goodhost-based intrusion prevention system (HIPS). Due to thepolymorphic code used in generating variants of the Blackhole exploit kit, antivirus signatures will lag behind the automated generation of new variants of the Blackhole exploit kit, while changing the algorithm used to load malware onto victims' computers takes more effort from the developers of this exploit kit. A good HIPS will defend against new variants of the Blackhole exploit kit that use previously known algorithms.

• Backdoor (computing)
• Botnet
• Computer virus
• Exploit
• HackTool.Win32.HackAV
• MPack (software)
• Spyware
• Trojan horse (computing)
• DarkComet – (Trojan / RAT)

Thismalware-related article is astub. You can help Wikipedia byadding missing information.

• v
• t
• e

• Trojan horses
• Malware toolkits
• Malware stubs

• Articles with short description
• Short description matches Wikidata
• Articles needing cleanup from May 2025
• All pages needing cleanup
• Articles containing how-to sections
• All stub articles