Pirated software trap: Pakistan hackers infect millions, loot data, make $4.67mn

A recent investigation by cybersecurity firm CloudSEK has unveiled a significant malware distribution network based in Pakistan, which is reportedly one of the most lucrative of its kind uncovered in recent years. This cybercrime syndicate, allegedly operated by a group of individuals with familial connections in Bahawalpur and Faisalabad, has been exploiting the high demand for pirated software to spread credential-stealing malware to millions of devices globally. The report titled "The Anatomy of an Attack: Pakistan-Based Infostealer Delivery Network Exposed" details the methods employed by the group. They utilized techniques such as search engine optimization (SEO) poisoning, spam on forums, and paid advertisements to promote cracked versions of widely used software, including Adobe After Effects and Internet Download Manager, through malicious WordPress sites. These sites were designed to hide malware like Lumma Stealer, Meta Stealer, and AMOS within password-protected archives. CloudSEK's research indicates that the operation involved over 5,239 registered affiliates and nearly 3,900 distribution sites, amassing an astonishing 449 million clicks and upwards of 1.88 million installs. The network's estimated revenue stands at approximately $4.67 million, although the actual earnings are likely even higher due to unreported transactions. Payment records reveal that affiliates received compensation primarily through Payoneer (67%) and Bitcoin (31%), with the leading earners claiming nearly half of the total payouts. In a notable instance, over $130,000 was disbursed to participants within just five months in 2020. The investigation further connects this operation to two related pay-per-install networks, InstallBank.com and SpaxMedia, the latter of which was later rebranded as Installstera.com. This campaign utilized a mix of long-term domains and temporary addresses to evade detection and takedowns. A crucial breakthrough occurred when the hackers fell victim to their own infostealer malware, inadvertently exposing internal credentials, payment records, and connections among individuals and financial accounts. CloudSEK's findings align with a notable rise in cyberattacks targeting Indian government entities and critical infrastructure, particularly as the nation approached its 79th Independence Day on August 15, 2025. Their concurrent investigation recorded over 4,000 incidents in the weeks leading up to the celebrations, focusing on sectors such as defense, finance, and administration. This uptick in attacks coincided with heightened geopolitical tensions following the Pahalgam terror incident. Threat actors from Pakistan, China, and other nations have reportedly collaborated in various campaigns involving phishing, fraudulent websites, and large-scale scams aimed at breaching data security. Advanced Persistent Threat (APT) groups, including APT36 from Pakistan and APT41 from China, have been implicated in credential theft operations targeting sensitive government and corporate information. Authorities are urging citizens to remain vigilant and report any suspicious activities, as attackers are employing tactics such as spoofed domains, counterfeit mobile applications, and social engineering to deceive victims. The timing of these attacks suggests a deliberate strategy to disrupt during significant national events. CloudSEK emphasizes the need for targeted responses, including domain seizures, financial actions in partnership with payment processors, and public awareness campaigns to mitigate both current and future cyber threats.