The IT Nerd

Cybersecurity intelligence firm CloudSEK has uncovered one of the most extensive and profitable malware delivery operations in recent history — a Pakistan-based, family-linked network that has weaponized software piracy to launch infostealer attacks on millions of victims worldwide.

The investigation, published in CloudSEK’s latest report, “The Anatomy of an Attack: Pakistan-Based Infostealer Delivery Network Exposed“, offers an unprecedented inside look into how a sprawling network of operators, affiliates, and infrastructure turned cracked software demand into a multi-million-dollar cybercrime business.

From Pirated Software to Global Infections

The syndicate’s primary lure was Search Engine Optimization (SEO) poisoning and forum spam on legitimate online communities. By posting links to cracked versions of high-demand software — such as Adobe After Effects and Internet Download Manager (IDM) — they funneled unsuspecting users to a maze of malicious WordPress sites. 

These sites distributed commodity infostealers, including Lumma Stealer, Meta Stealer, and, more recently, AMOS, concealed inside password-protected archives to evade detection.

In addition to SEO and forum spam, the operators also ran paid ads through legitimate traffic services to drive even more users to their malicious domains. This allowed them to blend malicious activity with normal web marketing traffic, making detection and takedown far more difficult.

Once installed, the malware exfiltrated credentials, browser data, cryptocurrency wallets, and other sensitive information — data that was later monetized through resale and secondary fraud.

Meanwhile, ahead of India’s 79th Independence Day (August 2025), hacktivist groups and cybercriminals launched coordinated attacks targeting government, finance, and defense sectors. Fueled by the Pahalgam terror attack, threat actors from Pakistan, China, and others executed over 4,000 incidents, including phishing, fake websites, data breaches, and scams. APT groups like APT36 and APT41 deployed credential theft campaigns. Citizens are urged to stay alert and report suspicious activity.

CloudSEK’s research team has, in parallel, exposed an ongoing campaign by Pakistan targeting the Indian government and critical infrastructure ahead of Independence Day. Read the full analysis here: https://www.cloudsek.com/blog/cybersecurity-in-focus-recent-threats-targeting-india-amid-independence-day-celebrations

Key Findings from CloudSEK’s Investigation

Scale & Reach

• 5,239 registered affiliates operated 3,883 malware distribution sites.
• Generated 449 million clicks and 1.88 million documented installs over the observed period.
• Estimated lifetime revenue of $4.67 million, with actual earnings likely higher due to undocumented “off-ledger” settlements.

Financial Operations

• Between May and October 2020 alone, the network paid out $130,560.53 to affiliates at an average Effective Cost Per Install (eCPI) of $0.0693.
• Top affiliates captured over 45% of total payouts.
• Preferred payment method: Payoneer (67%), followed by Bitcoin (31%) — a rare case of cybercriminals leaning on traditional financial channels to disguise illicit activity.
   

Organizational Structure

• Operated primarily out of Bahawalpur and Faisalabad, Pakistan.
• Multiple operators shared the same family surname, suggesting a multi-generational, family-run cybercrime syndicate.
• Divided roles between primary operators (network management & finances), affiliates (traffic generation via warez sites), and financial facilitators (handling payouts and settlements).

Evolving Tactics

Shifted from “install-based” monetization in 2020 to download-focused campaigns by 2021, likely to evade detection.

Maintained 383 long-haul domains active for over a year, accounting for 85% of total installs, alongside hundreds of short-lived throwaway domains using disposable TLDs (.cfd, .lol, .cyou).

“The magnitude of this operation is staggering — 449 million clicks, millions of installs, and over 10 million potential victims whose personal data, credentials, and financial information have been stolen and sold. Beyond the numbers, the real damage is in the ripple effect: stolen credentials used for identity theft, online fraud, and corporate breaches,” Ravi added.

A Rare Breakthrough: When Hackers Get Hacked

The turning point in the investigation came when the operators themselves were infected with infostealer malware. Their own logs — containing admin credentials, payout histories, and internal communications — were exfiltrated and analyzed by CloudSEK’s TRIAD team.

This unique dataset provided:

• Full access to InstallBank’s backend, including SQLi vulnerabilities that revealed the affiliate ledger and payment history.
• Affiliate account credentials for the secondary network, SpaxMedia (later rebranded as Installstera), exposing payout dashboards, domain configurations, and marketing materials.
• Direct attribution linking multiple operators to specific domains, payment accounts, and social media profiles.

The Monetization Engine: Two PPI Networks

CloudSEK identified two interconnected Pay-Per-Install (PPI) networks at the core of the operation:

• InstallBank.com — Active since 2018, offline as of August 2025. Managed thousands of affiliates, with a highly lucrative payout structure.
• SpaxMedia → Installstera.com — Launched in 2022, briefly suspended in 2024, and relaunched in early 2025 using the same codebase and user base.

Together, these networks paid affiliates per successful malware installation or download. Operators used SEO marketing, warez distribution sites, and paid social media ads to drive traffic to their payloads.

Global Victimology & Impact

While the campaign’s infrastructure was Pakistan-centric, its victim base was global. The primary targets were individuals seeking pirated software — a demographic that often bypasses security warnings and disables antivirus software, making them high-risk.

CloudSEK estimates that with an average resale price of $0.47 per stolen credential log, the network’s total impact could extend to over 10 million victims worldwide.

Strategic Implications for Law Enforcement & Industry

This case demonstrates that major cybercrime enterprises can — and do — operate in plain sight, using:

• Legitimate financial services (e.g., Payoneer, Bitcoin exchanges with weak KYC).
• Public-facing marketing tactics (SEO, Facebook ads, community forum posts).
• Persistent infrastructure capable of surviving takedowns for years.

CloudSEK recommends a multi-pronged disruption strategy combining:

• Domain takedowns targeting the 383 long-haul sites.
• Financial interdiction in collaboration with Payoneer and other processors.
• Search engine de-indexing of warez sites hosting malware.
• User education campaigns warning about cracked software risks.
   

Download the Full Report

The complete investigation, including detailed Indicators of Compromise (IOCs), infrastructure mapping, and payment analysis, is available here: Download Full Report