Lurk activity was solely in Russia slince late 2011, but the technologies they use became noisy, when it appeared in the “World Market” years later. We were able to track activity despite the low detection by AV vendors.
We will comment the activity of the group over five years, showing methods, tactics and many high profile (mostly something we call intermediate victims) whom sites was used for malware distribution. The list of the victims includes high profile news agencies (up to 1 million unique visitors per day) end even domain in government sections.
We coordinated our efforts with victims and CERTs and can share successful and not successful steps of attack mitigation for this group. This group was arrested in June and we should be able to document the impact on exploit kit activities.