Crooks behind exploit kits have switched from using the Angler to favouring Neutrino in recent attacks.

“Angler EK has almost completely disappeared,” according to Malwarebytes, a net security firm that has made a name for itself in closely tracking malicious advertising (malvertising) attacks. “We see Neutrino EK take centre stage in various attacks - sites compromised by malvertising, including Yahoo,” it adds.

Exploit Kits are used to booby-trap hacker-controlled websites in order to push malware as visiting surfers through drive-by-download attacks. The practical upshot of this is that Windows users running out-of-date versions of Flash (and who are tricked into responding to a dodgy link in a spam email) become infected with a spam-distribution bot or (worse) ransomware.

Angler has been the top exploit kit for months, ever since the demise of Blackhole back in October 2013. The threat from Angler increased only last week after news broke that it now comes outfitted with features for bypassing Microsoft’s EMET (Enhanced Mitigation Experience Toolkit) security controls. But apparently this doesn't tempt today's malware-slinger.

“Neutrino has been dropping ransomware lately, mainly CryptXXX but we have also seen it drop Cerber,” write Jérôme Segura, a senior security researcher at Malwarebytes, in a blog post. “At the moment, both Angler and Neutrino can exploit Flash Player up to version 21.0.0.213. This switch between the two is not new but this very noticeable change in activity remains intriguing.”

Malwarebytes isn’t alone in noticing the drop-off in Angler-related malfeasance. F-Secure reported earlier on Monday that Angler incidents had dropped while Neutrino soared over the last fortnight or so. Elsewhere independent security researchers are speculating the the drop-ff signals the possible demise of Angler.

Since it’s not clear why Angler has fallen so quickly it may perhaps be a bit too early to write its obituary. There has been no take-down and the decline in popularity might be purely temporary and driven by something like a price war in underground hacking circles or tied to a new, high-volume attack.

Although Blackhole stopped receiving updates following the arrest of its since-convicted author in October 2013, the exploit kit resurfaced last November. Popular strains of crimeware, in general, have a habit of re-appearing, most often with less potency than before but still hanging around to cause trouble, another reason it’d be unwise to put a line through Angler as a threat any time soon. ®