Neptune Exploit Kit

On 03/10/17 there were postings on various forums about an exploit kit named Neptune. The author claims it has 17 different exploits, including some fresh CVEs from 2017.

Below is an image from one of the advertisements:


Claimed features include a malicious domain detect rotation trigger, stenography, domain auto-rotator, professional user interface (template for the interface can be found HERE), FUD (fully undetectable) exploits, support for different browsers, as well as listing the following CVEs:

  • CVE-2017-3823 (Cisco WebEx browser extension vulnerability)
  • CVE-2017-3289 (Java SE 7u121, Java SE 8u111, Java SE 8u112)
  • CVE-2017-2995 (Adobe Flash Player versions and earlier)
  • CVE-2017-0037 (Microsoft Internet Explorer 11 and Microsoft Edge)
  • CVE-2016-7200 (Chakra JavaScript scripting engine in Microsoft Edge)
  • CVE-2016-7201 (Chakra JavaScript scripting engine in Microsoft Edge)
  • CVE-2016-4117 (Adobe Flash Player and earlier)
  • CVE-2016-0189 (Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines)
  • CVE-2016-0034 (Microsoft Silverlight 5 before 5.1.41212.0)
  • CVE-2015-7645 (Adobe Flash Player 18.x through and 19.x through on Windows)
  • CVE-2015-6086 (Microsoft Internet Explorer 9 through 11)
  • CVE-2015-2419 (JScript 9 in Microsoft Internet Explorer 10 and 11)

The OP says that Flash and Java work silently on all browsers. They also stated that Firefox and Opera have their own landing pages and IE has its own exploit landing page. Chrome, however, is served no landing.

Here are some images of the dashboard and statistics:


Another image of browser and OS statistics:

more stats

The author is also advertising exploit kit protection features, as well as a 3 tiered package system with package 3 costing the most at $1,200 per week and $4,000 per month:

NeptuneEK 2

The tiered packages come with different exploits, with package 1 offering only IE and Flash exploits.

I have yet to run into an infection chain involving this exploit kit so I can’t confirm any of these claims. Furthermore, the OP had their account closed on one of the forums and the thread was closed. Some people in the forum thread were accusing the OP of this being a scam. If anyone comes across more information you can contact me via Twitter.

Until next time!

  1. Very helpful. Thank you.

    Liked by 1 person


  2. Hi.

    Can you guide me to gather similar data in accordance to exploit kits? For instance, CVE IDs exploited by EKs.

    The EKs can be Astrum or Blackhole or Hanjuan or Rig. It will be a great aid for me.

    Thanks in advance.



  3. Sundown EK gone missing, Terror EK flavours seen in active drive-by campaigns – All-Daily-News April 16, 2017 at 6:19 PM

    […] there is a thing right now with rebranding and Terror EK has been known to be called Blaze, Neptune, or […]



    1. Okay. Thank you very much for the info.

      Liked by 1 person


Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: