Dotcachef Exploit Kit

— Update 6/27 —

The users of this exploit kit have dropped the \/\.cache\/ and replaced it with \/[a-f0-9]{10}\/

They have also changed f=site.jar and f=atom.jar to f=s and f=s

Lots of examples of the changes are on

Props to EKwatcher for noticing this…

Example Chain: > Compromised via Malvertising > REDIR > JAR (application/octet-stream) > Unencoded EXE – ZA

Looking for “/.cache/?f=” in the URI gives pretty solid results.

See examples of Unknown Exploit Kit on

More examples and info can be found on

Comments are closed.