VERY IMPORTANT

On January 27, 2016 Cyphort Labs discovered a site infected with Angler EK leading to a fileless Gootkit (a.k.a. XswKit) malware. The site was redirecting visitors to the malware through a compromised OpenX Ad server injecting a malicious iframe into the page. The iframe leads to Angler EK which downloads Bedep ad-fraud which then downloads a Gootkit loader. The loader injects a DLL component found in its body into explorer.exe. The injected DLL then downloads the fileless Gootkit and saves it in the registry as binary data, then loading it in memory only.