Category: Malware Delivery
Exploit kits in the browser
Exploit kits are automated toolchains that probe a visitor’s browser for vulnerabilities and deliver a payload if they find a match.
Quick answer
They industrialize drive-by compromise: one compromised site or malicious ad can opportunistically infect many visitors.
For drive-by content and risky downloads, isolation keeps untrusted web execution off the endpoint and makes each browsing session disposable.
When you need this
- You’ve seen indicators of this threat in your environment.
- Users frequently click unknown links as part of daily work.
- You need a control that reduces risk without relying on perfect user judgment.
Last updated
2026-01-29
How it usually happens in the browser
- A user visits a compromised site or malvertising landing page.
- The page fingerprints the browser, plugins, and environment to pick an exploit path.
- If a vulnerable component is detected, the exploit runs and drops malware.
- Attackers rotate infrastructure to evade detection and keep campaigns running.
What traditional defenses miss
- Patching helps, but organizations are rarely 100% current across every endpoint and plugin.
- Exploit chains can be obfuscated and delivered conditionally to avoid scanners.
- Security controls may detect only after exploitation begins rather than preventing web code from reaching the endpoint.
How isolation changes the game
- Isolation runs untrusted web code in a separate container, reducing the chance that an exploit chain can reach the endpoint.
- Disposable sessions and session deletion reduce persistence from exploit-driven state and dropped artifacts.
- Policy can put high-risk browsing sources (ads, unknown sites) behind isolation without blocking legitimate research workflows.
Operational checklist
- Patch browsers and reduce plugin/extension footprint; remove legacy plugins where possible.
- Route unknown domains and ad-click traffic into isolation.
- Block downloads from risky browsing contexts; require scanning/release.
- Monitor for exploit-like behaviors (sudden redirects, unusual script activity, unexpected downloads).
- Have an incident path for “suspected drive-by” that includes browser logs and network telemetry.
FAQs
Are exploit kits still a thing?
The ecosystem evolves, but the pattern—automated exploitation via the browser—remains common wherever there are unpatched systems and ad/redirect traffic.
Does patching eliminate the risk?
It reduces it significantly, but zero-days and patch gaps still exist. Isolation adds a layer that changes where risky code runs.
How does isolation help if the exploit targets the browser?
If untrusted browsing runs in an isolated container, the exploit targets the container environment rather than the endpoint device.
What traffic is highest risk?
Ad-driven traffic, free streaming/content sites, and compromised WordPress/plugin-heavy sites tend to show up frequently in campaigns.
References
- Google Safe Browsing — Google
- Cloudflare: Browser Isolation — Cloudflare