The IT Nerd

As millions of shoppers gear up for Black Friday and the holiday shopping season, CloudSEK, a global leader in AI-driven digital risk protection, has uncovered an alarming rise in fake online stores. 

The investigation reveals over 2,000 fraudulent holiday-themed e-commerce sites designed to exploit consumer trust by impersonating well-known retail brands, harvesting payment and personal data, and using aggressive urgency tactics – including recycled templates, fake social proof pop-ups, and typosquatted brand variations. This represents one of the most extensive seasonal fraud operations observed to date.

The research highlights two major phishing clusters:

• Cluster One: More than 750 interconnected potential fake storefronts, including over 170 Amazon-themed typosquatted domains alongside other potential retail mimicries. These sites use identical holiday templates with flipclock-style urgency timers, fake trust badges, and pop-ups simulating recent purchases along with usage of suspicious resources known for phishing and malware distribution. Payments are redirected to attacker-controlled shell checkout sites, facilitating stealthy financial theft.
• Cluster Two: Over 1,000 domains under the .shop TLD impersonating global brands such as Samsung, Jo Malone, Ray-Ban, Xiaomi, and others. This is indicated by observed phishing tactics of inducing urgency, false legitimacy, social engineering via fraudulent contact, along with misspellings etc. These sites replicate the same Black Friday/Cyber Monday template and fraudulent checkout process for financial fraud, indicating the use of a standardized phishing kit.

Researchers at CloudSEK have observed that these fake shops are likely promoted through short-lived social media ads, and SEO-optimised search results, along with possible propagation via WhatsApp and Telegram forwards, private deal communities, etc., increasing the risk that consumers encounter fraudulent sites before official brand pages.

Financial analysis shows these sites may potentially attract hundreds of visitors during narrow windows, convert 3-8% through urgency messaging, and generate $2,000–$12,000 per fraudulent store before takedown. 

Besides immediate financial loss, victims risk long-term identity theft from insecure data transmission. Brands face reputational damage, increased customer service burdens, and revenue loss from diverted sales.

Consumers should watch for warning signs such as unrealistic 70–90% discounts, flashy countdown timers, misspelt brand names in URLs, fake trust badges, suspicious checkout redirects, absence of official customer support contact, other misleading tactics, and repetitive templated layouts across multiple similar online storefronts. Shoppers are advised to navigate only to official brand websites or apps and retailers that don’t contain obvious potential indicators of an overall coordinated phishing campaign.

CloudSEK urges organisations in retail, electronics, beauty, and lifestyle sectors to monitor newly registered domains, track impersonation attempts, conduct social media scans for fraudulent promotions, and establish rapid takedown protocols.

Regulatory bodies and cybersecurity agencies can strengthen defenses by leveraging the WHOIS patterns, monitoring high-abuse ASNs and netblocks, partnering with ad networks to block scam ads, promoting public awareness campaigns, and enhancing coordination for swift scam cluster dismantling.

CloudSEK’s XVigil platform continuously monitors digital ecosystems for emerging threats, sharing intelligence to support timely mitigation. 

Note: References to third-party brands or company names in this report are solely for the purpose of illustrating observed impersonation or fraudulent activity conducted by threat actors. CloudSEK does not imply or suggest that any such third party is involved in, responsible for, or associated with the fraudulent activity.

Strengthening the UAE’s cybersecurity ecosystem, Seed Group, a company of The Private Office of Sheikh Saeed bin Ahmed Al Maktoum, has entered into a strategic partnership with CloudSEK, a leading AI-powered cybersecurity firm from India.

With this alliance, CloudSEK becomes part of Seed Group’s ecosystem of global innovators, marking a significant milestone for Indian-origin cybersecurity on the global stage. Founded in 2015 by threat researcher-turned-entrepreneur Rahul Sasi, CloudSEK is a leading AI-powered cyber threat intelligence platform focused on predicting and preventing cyber threats.

A Strategic Alliance for a Resilient Digital Future

Seed Group, recognised for catalysing the success of innovative businesses entering the UAE and GCC markets, will work with cyber threat intelligence firm CloudSEK to empower both public- and private-sector organisations with next-generation cyber risk-management capabilities.

This collaboration brings CloudSEK’s AI-powered Cyber Threat Intelligence technologies to the heart of the Middle East’s digital economy. The platform enables faster detection, contextual analysis, and mitigation of cyber threats before they escalate into incidents, offering a proactive approach to security.

As the UAE cements its position as a global hub for trade and innovation, the demand for advanced cybersecurity has never been higher. Through Seed Group’s deep regional insight and network, CloudSEK will address these needs with solutions that integrate threat intelligence, brand protection, attack-surface monitoring, and supply-chain security into a unified, intelligence-driven platform.

The Middle East cybersecurity market, valued at USD 16.75 billion in 2025, is projected to reach USD 26.04 billion by 2030, growing at a 9.2% CAGR. The region faces escalating threats, with the UAE alone confronting over 200,000 cyberattacks daily—34.9% targeting government entities, 21.3% financial firms, 14% energy sectors, and 11.6% insurance companies. The financial impact is severe: the average data breach cost in the Middle East reached USD 8.75 million in 2024, nearly 10% higher than in 2023, underscoring the urgent need for advanced, predictive cybersecurity solutions like those offered by CloudSEK.

CloudSEK’s approach goes beyond traditional detection and response. By continuously mapping an organisation’s external digital footprint, analysing vast data from open, deep, and dark-web sources, and delivering real-time, actionable intelligence, CloudSEK enables decision-makers to stay ahead of adversaries.

The company’s proprietary AI engine has proven its mettle by identifying and preventing large-scale data breaches for major financial institutions well ahead of an actual attack. By continuously analysing massive volumes of threat data across the digital ecosystem, CloudSEK delivers actionable intelligence across 170 use cases, offering comprehensive solutions in brand monitoring, digital risk protection, attack surface monitoring, and supply chain security. The top cyber threat intelligence cloud provider, CloudSEK, helps major companies around the world spot and address cyber threats to reduce risks to their operations, finances, and reputation.

Its technology helps enterprises and governments across the world mitigate risks, strengthen cyber-resilience, and build digital trust—protecting reputation, revenue, and operations in an era of borderless cyber threats.

A Global Vote of Confidence in Indian Cybersecurity

CloudSEK’s success highlights India’s evolution from a services-led technology hub to a global originator of cybersecurity innovation.

This partnership not only accelerates CloudSEK’s presence in the Middle East but also represents a broader trend: nations and enterprises worldwide are increasingly looking to Indian firms for sophisticated, scalable, and affordable cybersecurity intelligence.

CloudSEK, a leading cybersecurity firm, has exposed a sophisticated China-based operation selling high-quality counterfeit U.S. and Canadian driver’s licenses and Social Security Number (SSN) cards, posing a severe threat to national security, financial systems, and public trust.

The investigation, conducted by CloudSEK’s STRIKE team, uncovered a sprawling network of 83+ interconnected domains supported by 24/7 WeChat customer support, custom order flows, and multiple payment channels. Analysis of the exfiltrated database revealed over 6,500 counterfeit licenses sold to 4,500+ buyers, generating more than $785,000 in revenue. 

A Hidden Threat Undermining Trust

Counterfeit IDs aren’t just tools for underage drinking—they enable serious crimes, including illegal firearm purchases, SIM-swap fraud, large-scale logistics misuse, and even election interference. CloudSEK researchers confirmed that the IDs, priced as low as $65 in bulk, are fully scannable and replicate advanced security features such as holograms, UV markings, laser engraving, and relief printing, making them nearly indistinguishable from genuine documents.

“This isn’t just about fake IDs – this is about a systematic attack on the foundation of trust that underpins our financial, legal, and civic systems,” said Sourajeet Majumder, security researcher at CloudSEK STRIKE. “When a single counterfeit license can enable unauthorized drivers, bypass compliance checks, or facilitate smuggling, we’re looking at a genuine national security threat.”

Sophisticated Operations

The threat actor demonstrated remarkable sophistication:

• Shell E-commerce Sites: Transactions were routed through fake online stores (clothing, shoes, accessories) to mask payments via PayPal, LianLian Pay, and cryptocurrencies.
• Covert Packaging: IDs were shipped globally via FedEx, USPS, DHL, and Canada Post, hidden inside toys, purses, or layered cardboard with camouflage stickers to evade detection. Tutorial videos guided buyers on retrieving concealed IDs.
• Systemic Misuse: One buyer linked to two trucking companies with revoked U.S. operating authorities purchased 42 counterfeit commercial driver’s licenses—highlighting risks to transportation safety and regulatory integrity.
• High-Confidence Attribution: Through HUMINT and OSINT, CloudSEK pinpointed the actor’s exact geolocation in Xiamen, Fujian, China and obtained a facial image via webcam capture. 
   

Key Findings

• Massive Scale: Over 6,500 fake IDs sold, with dense clusters of buyers in New York, Pennsylvania, Florida, Georgia, Ontario, and British Columbia.
• Financial Footprint: $785,000+ generated through PayPal, LianLian Pay, Bitcoin, Ethereum, and Western Union.
• Age Analysis: Nearly 60% of buyers were above 25 years old, signaling intentions beyond casual misuse.
• Marketing Tactics: The network promoted IDs via Meta Ads, TikTok, Telegram, and YouTube, openly advertising uses like passing police checks, renting cars, or accessing benefits.
   

Real-World Consequences

The implications are far-reaching:

• National Security: Fake IDs can bypass airport, border, and law enforcement checks.
• Financial Fraud: Scannable IDs enable SIM swaps and account takeovers.
• Election Integrity: IDs can be exploited for mail-in ballot and voter registration fraud.
• Logistics & Trafficking Risks: Fake commercial driver’s licenses allow unlicensed operators to bypass U.S. Department of Transportation checks.
   

A Call to Action

CloudSEK urges urgent global action:

• Law Enforcement: Seize the 83+ domains and pursue legal action using attribution evidence.
• Courier Vigilance: Alert FedEx, USPS, and DHL to the covert packaging tactics.
• Payment Processors: Trace and freeze illicit accounts across PayPal, Western Union, and crypto platforms.
• Continuous Monitoring: Deploy threat intelligence platforms like CloudSEK’s XVigil for proactive detection.
   

For More Information, Read The Full Report

CloudSEK’s latest research reveals a novel cyber threat that exploits the trust users place in AI summarization tools, turning them into unintentional delivery mechanisms for ransomware.

The report, titled “Trusted My Summarizer, Now My Fridge Is Encrypted,“ demonstrates how attackers can use invisible prompt injection and prompt overdose techniques to manipulate AI-powered summarizers embedded in email clients, browsers, and productivity apps. By embedding malicious payloads in HTML with CSS-based obfuscation (such as white-on-white text, zero-width characters, and off-screen rendering), attackers can trick AI summarizers into reproducing ClickFix-style step-by-step ransomware instructions in their summaries.

Key Findings

• Invisible Prompt Injection: Attackers hide malicious text in HTML using CSS tricks, invisible to humans but fully interpretable to AI summarizers.
• Prompt Overdose: Payloads are repeated dozens of times, overwhelming the summarizer’s context window and ensuring attacker instructions dominate outputs.
• Weaponized Summarizers: When users rely on summarizers to triage content, the AI may unknowingly echo back attacker-controlled ransomware steps as trusted advice.
• Real-World Proof-of-Concept: CloudSEK successfully demonstrated how hidden payloads can instruct users to run Base64-encoded PowerShell commands simulating ransomware delivery.
• Amplified Social Engineering: Because instructions appear to come from a trusted AI assistant rather than an external actor, the likelihood of compliance is significantly higher. 

Potential Impact

1. Mass Amplification of Attacks — Summarizers in email previews, search snippets, and browser extensions could echo attacker payloads at scale.
2. Lower Barrier for Ransomware Execution — Even non-technical users could be tricked into executing ransomware payloads.
3. SEO-Driven Threat Multiplication — Poisoned blogs, forums, and indexed content could spread malicious instructions widely.
4. Enterprise Risks — Internal copilots and summarizers could inadvertently relay attacker steps into trusted business workflows.
5. Operational & Reputational Harm — Ransomware incidents delivered via trusted AI tools may cause higher compliance rates, longer downtimes, and financial losses.

Mitigation Strategies

CloudSEK recommends immediate defensive measures, including:

• Client-Side Sanitization — Strip suspicious CSS elements (opacity:0, zero-width, white-on-white) before processing.
• Prompt Filtering — Detect and neutralize hidden meta-instructions or excessive repetition.
• Payload Detection — Use heuristics to identify encoded commands and malicious patterns.
• User Awareness & Safeguards — Summarizers should indicate whether steps originate from visible or hidden content.
• Enterprise AI Policy Enforcement — Organizations must screen inbound HTML/documents for hidden text before ingestion.
   

Cybersecurity intelligence firm CloudSEK has uncovered one of the most extensive and profitable malware delivery operations in recent history — a Pakistan-based, family-linked network that has weaponized software piracy to launch infostealer attacks on millions of victims worldwide.

The investigation, published in CloudSEK’s latest report, “The Anatomy of an Attack: Pakistan-Based Infostealer Delivery Network Exposed“, offers an unprecedented inside look into how a sprawling network of operators, affiliates, and infrastructure turned cracked software demand into a multi-million-dollar cybercrime business.

From Pirated Software to Global Infections

The syndicate’s primary lure was Search Engine Optimization (SEO) poisoning and forum spam on legitimate online communities. By posting links to cracked versions of high-demand software — such as Adobe After Effects and Internet Download Manager (IDM) — they funneled unsuspecting users to a maze of malicious WordPress sites. 

These sites distributed commodity infostealers, including Lumma Stealer, Meta Stealer, and, more recently, AMOS, concealed inside password-protected archives to evade detection.

In addition to SEO and forum spam, the operators also ran paid ads through legitimate traffic services to drive even more users to their malicious domains. This allowed them to blend malicious activity with normal web marketing traffic, making detection and takedown far more difficult.

Once installed, the malware exfiltrated credentials, browser data, cryptocurrency wallets, and other sensitive information — data that was later monetized through resale and secondary fraud.

Meanwhile, ahead of India’s 79th Independence Day (August 2025), hacktivist groups and cybercriminals launched coordinated attacks targeting government, finance, and defense sectors. Fueled by the Pahalgam terror attack, threat actors from Pakistan, China, and others executed over 4,000 incidents, including phishing, fake websites, data breaches, and scams. APT groups like APT36 and APT41 deployed credential theft campaigns. Citizens are urged to stay alert and report suspicious activity.

CloudSEK’s research team has, in parallel, exposed an ongoing campaign by Pakistan targeting the Indian government and critical infrastructure ahead of Independence Day. Read the full analysis here: https://www.cloudsek.com/blog/cybersecurity-in-focus-recent-threats-targeting-india-amid-independence-day-celebrations

Key Findings from CloudSEK’s Investigation

Scale & Reach

• 5,239 registered affiliates operated 3,883 malware distribution sites.
• Generated 449 million clicks and 1.88 million documented installs over the observed period.
• Estimated lifetime revenue of $4.67 million, with actual earnings likely higher due to undocumented “off-ledger” settlements.

Financial Operations

• Between May and October 2020 alone, the network paid out $130,560.53 to affiliates at an average Effective Cost Per Install (eCPI) of $0.0693.
• Top affiliates captured over 45% of total payouts.
• Preferred payment method: Payoneer (67%), followed by Bitcoin (31%) — a rare case of cybercriminals leaning on traditional financial channels to disguise illicit activity.
   

Organizational Structure

• Operated primarily out of Bahawalpur and Faisalabad, Pakistan.
• Multiple operators shared the same family surname, suggesting a multi-generational, family-run cybercrime syndicate.
• Divided roles between primary operators (network management & finances), affiliates (traffic generation via warez sites), and financial facilitators (handling payouts and settlements).

Evolving Tactics

Shifted from “install-based” monetization in 2020 to download-focused campaigns by 2021, likely to evade detection.

Maintained 383 long-haul domains active for over a year, accounting for 85% of total installs, alongside hundreds of short-lived throwaway domains using disposable TLDs (.cfd, .lol, .cyou).

“The magnitude of this operation is staggering — 449 million clicks, millions of installs, and over 10 million potential victims whose personal data, credentials, and financial information have been stolen and sold. Beyond the numbers, the real damage is in the ripple effect: stolen credentials used for identity theft, online fraud, and corporate breaches,” Ravi added.

A Rare Breakthrough: When Hackers Get Hacked

The turning point in the investigation came when the operators themselves were infected with infostealer malware. Their own logs — containing admin credentials, payout histories, and internal communications — were exfiltrated and analyzed by CloudSEK’s TRIAD team.

This unique dataset provided:

• Full access to InstallBank’s backend, including SQLi vulnerabilities that revealed the affiliate ledger and payment history.
• Affiliate account credentials for the secondary network, SpaxMedia (later rebranded as Installstera), exposing payout dashboards, domain configurations, and marketing materials.
• Direct attribution linking multiple operators to specific domains, payment accounts, and social media profiles.

The Monetization Engine: Two PPI Networks

CloudSEK identified two interconnected Pay-Per-Install (PPI) networks at the core of the operation:

• InstallBank.com — Active since 2018, offline as of August 2025. Managed thousands of affiliates, with a highly lucrative payout structure.
• SpaxMedia → Installstera.com — Launched in 2022, briefly suspended in 2024, and relaunched in early 2025 using the same codebase and user base.

Together, these networks paid affiliates per successful malware installation or download. Operators used SEO marketing, warez distribution sites, and paid social media ads to drive traffic to their payloads.

Global Victimology & Impact

While the campaign’s infrastructure was Pakistan-centric, its victim base was global. The primary targets were individuals seeking pirated software — a demographic that often bypasses security warnings and disables antivirus software, making them high-risk.

CloudSEK estimates that with an average resale price of $0.47 per stolen credential log, the network’s total impact could extend to over 10 million victims worldwide.

Strategic Implications for Law Enforcement & Industry

This case demonstrates that major cybercrime enterprises can — and do — operate in plain sight, using:

• Legitimate financial services (e.g., Payoneer, Bitcoin exchanges with weak KYC).
• Public-facing marketing tactics (SEO, Facebook ads, community forum posts).
• Persistent infrastructure capable of surviving takedowns for years.

CloudSEK recommends a multi-pronged disruption strategy combining:

• Domain takedowns targeting the 383 long-haul sites.
• Financial interdiction in collaboration with Payoneer and other processors.
• Search engine de-indexing of warez sites hosting malware.
• User education campaigns warning about cracked software risks.
   

Download the Full Report

The complete investigation, including detailed Indicators of Compromise (IOCs), infrastructure mapping, and payment analysis, is available here: Download Full Report

CloudSEK’s latest threat intelligence report, Silicon Under Siege: The Cyber War Reshaping the Global Semiconductor Industry, uncovers a rapidly escalating cyber threat landscape targeting the semiconductor sector – the digital backbone of modern civilization.

Powering everything from AI and defence systems to smartphones, clean energy, and healthcare, semiconductors have become both a strategic asset and a prime cyber target. The research reveals that nation-state-backed groups, ransomware operators, and hacktivists are waging a silent but highly coordinated cyber war — one that threatens economies, disrupts global supply chains, and risks the very foundation of critical infrastructure.

CloudSEK’s proof-of-concept showed how AI can be harnessed to design and embed hardware Trojans at the pre-design stage of a chip. Even a simple AI-generated implant can evade detection and, once manufactured, lie dormant for years until triggered – leaking sensitive data, falsifying outputs, or halting operations. More advanced AI-driven designs could tailor Trojans to bypass specific security checks, adapt to different architectures, and remain invisible across multiple verification stages, making them potent tools for espionage or sabotage in the semiconductor supply chain.

Key Findings from the CloudSEK Report

• Attack volume up sixfold since 2022 — Driven by espionage, supply-chain compromises, and state-sponsored campaigns.
• $1.05 billion in ransomware-related losses since 2018 — Including ransom payments, downtime, and recovery costs, crippling semiconductor operations worldwide.
• IT as initial attack vector — Over 60% of ICS breaches begin with IT (phishing, VPN exploits, CVEs, exposed interfaces and misconfigurations, default or leaked/compromised credentials, etc.) before pivoting to OT.
• Massive infrastructure exposure — The U.S. alone has ~2 million publicly reachable ICS assets linked to semiconductor operations, many potentially with weak or default controls.
• Massive Middle East ICS exposure — Across the Middle East, publicly reachable ICS & OT assets tied to semiconductor-linked manufacturing and potentially critical oil, gas, and industrial operations remain exposed: UAE (~12.1K), Turkey (~10.8K), Saudi Arabia (~4.8K), Iran (~4.6K), Bahrain (~2.4K), and Qatar (~400), with potential vulnerabilities stemming from weak authentication, misconfigurations, and outdated protocols.
• High-value espionage incidents — In July 2025, China-backed APT41 infiltrated multiple Taiwanese semiconductor companies via a compromised software update, stealing proprietary chip designs and process data.
• Pre-silicon hardware Trojans — CloudSEK’s proof-of-concept AI-generated Trojan can remain dormant until triggered, leaking cryptographic keys while evading standard tests.
• Single vendor compromise cascading into global disruption — The 2023 MKS Instruments ransomware breach caused an estimated $250M in losses to Applied Materials in one quarter. 
   

Geopolitics and the “Silicon Cold War”

The semiconductor race has become a strategic flashpoint in the global balance of power, with cyber espionage campaigns, supply chain intrusions, and state-backed sabotage now central to the contest:

• China — investing $150+ billion to achieve chip self-sufficiency and reduce reliance on Western tech.
• U.S. — committed $52 billion via the CHIPS Act to reshore manufacturing and secure supply chains.
• India — investing $10 billion in its semiconductor mission, aiming for a $100 billion market by 2030.
• Taiwan — produces over 60% of the world’s advanced chips, making it a critical node in the global tech ecosystem.
• Europe — facing converging geopolitical and infrastructure risks, as exemplified by a SCADA compromise of a Ukrainian power substation during the Russia–Ukraine conflict that used OT-aware malware to issue malicious control commands.

State-sponsored Advanced Persistent Threats (APTs) such as APT41, Volt Typhoon, PlushDaemon, etc. are embedding themselves in software pipelines, EDA tools, and factory operations, shifting from mere data theft to long-term disruption strategies that can cripple production during geopolitical flashpoints.

Notable Campaigns and Case Studies

Historic Incidents

The semiconductor industry’s cyber risk is not new. Landmark events such as the 2010 Stuxnet sabotage of Iran’s Natanz facility, the 2018 TSMC WannaCry infection that halted iPhone chip production, and other high-profile attacks have long demonstrated the destructive potential of cyber threats to semiconductor-driven critical infrastructure.

Real-World Incidents Highlighting IT–OT Interdependencies

• Aliquippa Water Authority Breach (Nov 2023) — Default HMI credentials exposed Unitronics PLCs, demonstrating how simple IT misconfigurations can compromise industrial controls.
• UNC5221 VPN Exploitation (2025) — State-affiliated actors exploited CVE-2025-22457 in ICS VPN appliances to pivot into OT networks, spotlighting VPNs as critical OT entry points.
• Infostealer Malware Targeting Defense Contractors (Feb 2025) — Commodity stealers harvested credentials that could be used to access corporate VPNs and OT management interfaces.
• Medusa Ransomware Campaigns (2021–2025) — Active RaaS operations targeting legacy ICS/SCADA systems in manufacturing and supply chains, often combining encryption with IP extortion.
• Microchip Technology Breach (Aug 2024) — IT system compromise disrupted multiple facilities, causing ~$21M in losses and halting connected OT functions.
   

Emerging Threat Patterns Identified by CloudSEK

• Supply Chain Attacks — Targeting trusted vendors, software updates, and outsourced design services.
• Pre-silicon Design Compromise — Embedding hardware Trojans directly into chip designs during the design phase, remaining dormant and undetectable until after manufacturing.
• IT–OT Convergence Risks — Misconfigured SCADA dashboards, HMIs, and cleanroom controllers now searchable online, enabling attackers to “log in” rather than hack in.
• Ransomware with IP Extortion — Exfiltrating proprietary designs to pressure payments from both chipmakers and dependent industries.

CloudSEK’s Strategic Recommendations for the Semiconductor Sector

1. Isolate IT and OT Networks — Prevent lateral movement between corporate IT and manufacturing systems.
2. Secure-by-Design Practices — Implement RTL integrity checks, formal logic verification, and traceable SBOMs for third-party IP.
3. Continuous Attack Surface Monitoring — Detect exposed assets, leaked credentials, and unpatched CVEs before attackers exploit them.
4. Vendor Risk Management — Enforce stringent security requirements for all suppliers and third-party service providers.
5. Global Threat Intelligence Sharing — Collaborate across borders to detect and neutralize state-sponsored campaigns before they escalate.

CloudSEK’s BeVigil and XVigil platforms deliver real-time visibility into exposed IT/OT assets on the Internet, map vulnerable vendor ecosystems, and track emerging threat actor infrastructure, enabling chipmakers and suppliers to act before vulnerabilities become permanent features of the global tech landscape.

Full report available here: https://www.cloudsek.com/whitepapers-reports/silicon-under-siege-the-cyber-war-reshaping-the-global-semiconductor-industry  

CloudSEK’s latest threat intelligence report reveals a sophisticated ransomware campaign leveraging fake ClickFix-themed verification pages to distribute Epsilon Red malware.

Threat actors are impersonating platforms like Discord, Twitch, and OnlyFans to trick users into downloading .HTA files. These payloads silently execute ransomware via browser-based ActiveX abuse—bypassing standard security measures and putting global users at risk.

Key Highlights:

• Active campaign observed in July 2025
• Abuse of social engineering and brand impersonation
• Infrastructure linked to multiple fake domains and IPs
• Epsilon Red ransom notes bear stylistic resemblance to REvil, though the malware is distinct
• Final-stage deployment of Epsilon Red ransomware
   

Full report available here:
🔗 https://www.cloudsek.com/blog/threat-actors-lure-victims-into-downloading-hta-files-using-clickfix-to-spread-epsilon-red-ransomware

CloudSEK has released a groundbreaking whitepaper uncovering a sophisticated network of Chinese-operated illegal payment gateways exploiting India’s digital banking infrastructure. 

The report, titled Chinese-Operated Illegal Payment Gateways Exploiting & Laundering in the Indian Financial Network, reveals how transnational criminal syndicates are orchestrating a multi-billion-dollar shadow economy, laundering funds through illicit gateways that facilitate illegal gambling, Ponzi schemes, predatory lending, and digital fraud.

A Parallel Financial Ecosystem Threatening India’s Economy

India’s rapid digital transformation, powered by the Unified Payments Interface (UPI), has revolutionized financial access but also created vulnerabilities. CloudSEK’s research exposes how Chinese-led syndicates are exploiting these gaps, operating illegal payment gateways that bypass Reserve Bank of India (RBI) regulations. 

These gateways serve as the financial backbone for illicit operations, facilitating the movement of tainted money through a web of “mule” bank accounts to obscure its origins before exfiltrating it via cryptocurrency or hawala networks. (For More Information, Download Full Report)

Key findings include:

• Massive Scale of Operations: A single fraudulent app analyzed by CloudSEK facilitated ₹166 crore in transactions across 398,675 transactions, involving 34,299 unique mule accounts in just 12 months. Extrapolating to an estimated 25 similar apps, the total laundered amount could reach ₹4,000–5,000 crore annually, with a daily volume of ₹10–15 crore.
• Sophisticated Mule Recruitment: Criminals target vulnerable Indians—unemployed youth, students, and rural communities—through fraudulent apps, face-to-face agents, and “work-from-home” OTP-sharing scams to harvest bank accounts. These accounts are then integrated into advanced dashboards for large-scale money laundering.
• Global Reach, Local Impact: 40+ countries involved in the illegal payment gateway network. The syndicates operate from Southeast Asia and the Mekong region, using mule accounts from India, Pakistan, Bangladesh, and beyond. Funds are laundered through dynamic UPI IDs, cryptocurrency (primarily USDT-Tether), and fake international trade, draining India’s economy and evading taxes.
• Diverse Illicit Clients: The gateways serve illegal gambling platforms (e.g., Aviator crash games), Ponzi schemes, predatory lending apps, fake stock trading platforms, and digital arrest scams, charging transaction fees of 3–10% based on the risk level of the funds.
• Tech-Enabled Deception: Over 100 Telegram channels promote these gateways, while YouTube tutorials with 37,200+ views guide fraudsters on integrating APIs. Shell companies pose as legitimate fintechs, using paid ads on Google, Facebook, and Instagram to whitewash their operations. (For More Information, Download Full Report)

Three-Tier Exploitation Model Uncovered

CloudSEK’s research identified three distinct categories of illegal payment gateway clients, each charged different fees based on risk levels:

1. Gaming & Gambling Platforms (5% deposit, 3% withdrawal fees) – Including illegal casinos and betting apps like crash games
2. Ponzi & Investment Schemes (7-8% deposit, 4-5% withdrawal fees) – Fake investment platforms promising unrealistic returns
3. Mixed Scam Operations (10% deposit, 10% withdrawal fees) – Multi-source fraud including loan scams and crypto doubling schemes

The syndicates employ multiple recruitment strategies to acquire Indian bank accounts, including fraudulent mobile applications that request banking credentials and intercept OTP messages, face-to-face agents who target vulnerable populations with cash payments, and “work-from-home” schemes where individuals unknowingly serve as human OTP relays.

Technical Sophistication Rivals Legitimate Services

The illegal gateways operate with remarkable technical sophistication, featuring dynamic UPI infrastructure that generates unique QR codes for each transaction, full API integration allowing automated fund collection, global wallet access enabling multi-currency transactions, and comprehensive monitoring dashboards for real-time transaction management.

Once funds are collected, they undergo a complex layering process across 7-10 different mule accounts within minutes, making detection and tracing extremely difficult. The final stage involves exfiltrating laundered funds from India through cryptocurrency purchases, traditional hawala networks, or trade-based money laundering schemes.

Real-World Consequences for India

The implications of these findings are profound:

• Economic Drain: The shadow economy siphons billions of rupees annually, weakening the Indian Rupee and depriving the government of tax revenue.
• Financial System Integrity: The volume of fraudulent transactions overwhelms bank fraud detection systems, eroding public trust in digital payments.
• Social Harm: Indian citizens are doubly victimized—first as targets of scams and then as unwitting money mules facing frozen accounts or legal repercussions.
• National Security Risks: The infrastructure could fund activities against India’s interests, while massive data collection by fraudulent apps poses espionage risks.

Law enforcement actions validate CloudSEK’s findings: 

• Hyderabad Police (2022): Uncovered ₹700+ crore money laundering operation with Chinese nationals operating from Dubai
• Enforcement Directorate (2022-2023): Froze hundreds of crores across multiple investigations into predatory loan and gambling apps
• Odisha EOW (2023): Revealed over 1,000 mule accounts used to launder ₹1,000+ crore from cyber-scams

The shadow banking system poses significant threats to India’s economic sovereignty, financial system integrity, and national security while victimizing countless citizens who become unwitting money mules.

We have already reported a total of ~47,000 mule accounts to both Public and Private sector banks since we began extracting and analyzing data from illicit mobile applications. These accounts collectively represent a transaction volume of around ₹250 crore. (For More Information, Download Full Report)

A Call to Action

CloudSEK urges immediate, coordinated action to dismantle these networks:

• Banks and Fintechs: Deploy AI-powered monitoring to detect mule account patterns and strengthen KYC for corporate accounts.
• Regulators: Enforce stricter fintech oversight and issue clear guidelines on mule account liability.
• Law Enforcement: Build specialized cyber-financial crime units and pursue international cooperation to target syndicate leaders.
• Tech Platforms: Enhance app vetting on Google and Apple stores to block fraudulent apps.
• Public Awareness: Launch nationwide campaigns to educate citizens about the risks of sharing OTPs or “renting” bank accounts, emphasizing that acting as a money mule is a serious crime.

CloudSEK’s Commitment to Cybersecurity

“These illegal payment gateways are not just financial crimes; they’re a direct attack on India’s digital economy and citizen trust, Our research arms stakeholders with actionable intelligence to disrupt these networks and protect India’s financial sovereignty,” said Mayank Sahariya, Cyber Threat Analyst at CloudSEK.

“Financial institutions, regulators, and law enforcement agencies must move beyond reactive measures to proactive, intelligence-driven strategies. The window for action is narrowing as these networks continue to expand and sophisticate their operations,” Mayank Sahariya added.

CloudSEK continues to monitor these criminal networks and provide actionable intelligence to help financial institutions, regulators, and law enforcement agencies protect India’s digital economy and financial sovereignty.

CloudSEK has raised $19 million across its Series A2 and B1 funding rounds. The round included participation from a mix of India- and US-based investors, such as MassMutual Ventures, Inflexor Ventures, Prana Ventures, Tenacity Ventures, and select strategic investors, including Commvault. Notably, Meeran Family (founders of Eastern Group), StartupXSeed, Neon Fund and Exfinity Ventures are among CloudSEK’s earlier backers and continue to support the company’s long-term vision.

Founded in 2015 by cybersecurity researcher-turned-entrepreneur Rahul Sasi, CloudSEK was created with a mission to build a safer digital future by proactively predicting and mitigating cyber threats. What began as a research-driven initiative has since evolved into one of the industry’s most trusted threat intelligence platforms—serving 250+ enterprises across banking, healthcare, technology, and the public sector.

The newly raised capital will fuel CloudSEK’s continued product innovation and global expansion, with a focus on advancing its AI models and platform integrations. Unlike traditional tools that respond after an incident, CloudSEK identifies Initial Attack Vectors (IAVs)—the earliest signs of a potential breach, such as leaked credentials, exposed APIs, or compromised vendors.

CloudSEK’s differentiated approach has resonated globally, earning the company a 4.8-star rating on Gartner Peer Insights across 195 reviews, making it one of the most recommended vendors in the cybersecurity space.

With this funding and a strategic investor on board, CloudSEK is doubling down on its vision to make predictive threat intelligence a global cybersecurity standard for —empowering organizations to stay ahead of increasingly sophisticated threat actors.

CloudSEK’s security researchers have uncovered a sophisticated malware campaign using fake PDF-to-DOCX conversion tools to infect unsuspecting users with a powerful information stealer. This comes just weeks after the FBI’s Denver office issued a public alert warning of malicious online file converters being leveraged to deliver malware.

The report reveals how cybercriminals have crafted deceptive websites, such as candyxpdf[.]com and candyconverterpdf[.]com, that meticulously mimic the legitimate pdfcandy.com service. 

These fraudulent platforms lure users into executing a malicious PowerShell command, initiating a complex infection chain that delivers malware capable of stealing sensitive data, including browser credentials, cryptocurrency wallets, and other personal information. 

A Sophisticated Blend of Deception and Technology

The campaign employs advanced social engineering to exploit users’ trust. Victims uploading a PDF for conversion encounter a fake processing animation, followed by an unexpected CAPTCHA prompt designed to enhance the site’s perceived legitimacy and rush users into action. This leads to instructions to run a PowerShell command, which triggers a redirection chain through domains like bind-new-connect[.]click, ultimately delivering a malicious “adobe.zip” payload. The archive contains “audiobit[.]exe,” which leverages legitimate Windows tools like MSBuild[.]exe to deploy Arechclient2. (Read Full Report, For More Information)

“This campaign highlights how cybercriminals exploit everyday digital tools. By combining psychological manipulation with technical sophistication, these attackers turn routine tasks like file conversion into opportunities for data theft. Our research aims to equip individuals and organizations with the knowledge to stay safe,” said Varun Ajmera, Threat Intelligence Researcher, CloudSEK.

The scale of this threat becomes clear when considering the popularity of the legitimate PDFCandy.com, which attracts approximately 2.8 million monthly visits. Notably, India represents the largest segment of its user base, accounting for 19.07% or roughly 533,960 monthly visitors. This substantial audience provides a vast pool of potential victims for the threat actors behind this malicious campaign. While the fraudulent sites, candyxpdf[.]com and candyconverterpdf[.]com, saw approximately 2,300 and 4,100 visits respectively in March 2025, these numbers demonstrate active exploitation of the impersonated service’s popularity.

How the Attack Works

• Spoofed Websites: Domains like candyxpdf[.]com and candyconverterpdf[.]com imitate the real PDFCandy website.
   
• Deceptive Flow: Fake file conversion followed by a CAPTCHA prompt creates trust and urgency.
   
• Malware Trigger: Users are prompted to run a PowerShell command, leading to the download of a malicious ZIP file masquerading as a legitimate Adobe resource.
   
• Payload Execution: The ZIP contains audiobit.exe, which executes via MSBuild.exe – a legitimate Windows utility weaponized to run ArechClient2. (Read Full Report, For More Information)
   

CloudSEK’s technical analysis traced the malware delivery chain through multiple redirections, eventually landing on a known malicious domain (bind-new-connect[.]click) to deliver the payload. The attacker’s infrastructure, command chain, and payload hashes are included in the full report.

Wider Implications

This campaign demonstrates a growing trend where attackers prey on routine digital activities—like file conversion—to compromise systems. Given the increasing use of online converters in corporate and personal workflows, this type of attack has wide-ranging implications for cybersecurity hygiene.

Protecting Against the Threat

CloudSEK’s report provides actionable recommendations to safeguard individuals and organizations:

• Stick to Trusted Tools: Use reputable file conversion services from official websites and avoid unverified “free” converters.
• Strengthen Technical Defenses: Keep antivirus software updated, deploy endpoint detection and response (EDR) solutions, and use DNS filtering to block malicious domains.
• Educate Users: Train employees to recognize red flags, such as suspicious URLs, unexpected CAPTCHAs, or prompts to run command-line instructions.
• Incident Response: Isolate compromised devices, change passwords from a clean device, and report incidents to authorities promptly.
• Offline Alternatives: Consider offline conversion tools to avoid uploading sensitive files to remote servers.

A Call to Vigilance

As online file converters remain a staple in digital workflows, this campaign underscores the need for heightened awareness. “As threat actors become more creative with their tactics, cybersecurity must evolve to prioritize behavior-based detection, user awareness, and zero-trust principles. Organizations should invest in robust endpoint security, DNS filtering, and employee training. Most importantly, we need to reduce reliance on unknown web-based tools and encourage the use of secure, offline alternatives for tasks like file conversion,” said Varun Ajmera, Threat Intelligence Researcher, CloudSEK.

About CloudSEK: CloudSEK is a contextual AI company that predicts Cyber Threats. Our Cloud SaaS platform constantly seeks security solutions for our customers’ digital risks.
To learn more about how CloudSEK can strengthen your external security posture and deliver value from Day One, visit https://cloudsek.com or drop a note to info@cloudsek.com.