The IT Nerd

CloudSEK’s threat intelligence team has just published an in-depth investigation into Gunra, a rapidly emerging Ransomware-as-a-Service (RaaS) operation that has formalized its affiliate recruitment on the dark web.

What makes this report significant is that their researchers successfully infiltrated the affiliate program, gaining access to:

• The live RaaS management panel
• Affiliate documentation (operator guide)
• A functional ransomware locker sample for full reverse engineering
   

Key findings include:

• Gunra operates a professionalized RaaS business model, lowering the barrier for cybercriminals through structured affiliate onboarding.
• The locker uses a ChaCha20 + RSA-4096 hybrid encryption model, making decryption cryptographically infeasible without attacker-controlled private keys.
• The malware executes fully offline, bypassing network-based detection during encryption.
• It implements multi-threaded parallel encryption, enabling rapid filesystem-wide impact within minutes.
• The ransomware performs surgical targeting, excluding system directories (C:\Windows, Program Files) to maintain operability and ensure ransom payment.
• Embedded Tor payment infrastructure and hardcoded credentials streamline victim-to-operator communication.
• Complete MITRE ATT&CK mapping and actionable IOCs are included for defenders.
   

This report provides rare insight into both the business infrastructure and technical core of a growing RaaS operation.

Full report: https://www.cloudsek.com/blog/inside-gunra-raas-from-affiliate-recruitment-on-the-dark-web-to-full-technical-dissection-of-their-locker 

CloudSEK’s latest threat intelligence report details a growing cross-border cryptocurrency investment scam ecosystem leveraging social messaging platforms and fake regulatory credentials to defraud unsuspecting investors.

The report documents how scam networks are impersonating financial regulators, investment firms, and compliance authorities across regions, using platforms such as WhatsApp and Telegram to build trust, lure victims into fraudulent crypto schemes, and move funds across borders. Our researchers analysed the infrastructure, social engineering tactics, and operational patterns behind these scams, highlighting how they are evolving beyond isolated fraud cases into organised, repeatable crime models.

Key insights from the report include:

• How fake regulatory identities and compliance documents are used to create legitimacy
• The role of social messaging channels in scaling investor scams quickly across geographies
• Indicators that link these operations to coordinated, cross-border fraud networks

Given the rising impact of crypto-related fraud on retail investors and the renewed regulatory focus on digital asset scams, we believe these findings may be relevant for your coverage on cybersecurity, financial crime, or consumer protection.

You can read the full report here: https://www.cloudsek.com/blog/cross-border-cryptocurrency-investment-scam-leveraging-social-messaging-channels-and-fake-regulatory-credentials 

CloudSEK’s Global Threat Intelligence team has just uncovered a massive, evolving fraud operation targeting Canadian citizens through highly sophisticated impersonations of government services, Canada Post, and Air Canada. This isn’t your typical phishing scam – it’s a coordinated, multi-layered attack that’s exploiting the trust Canadians place in their public institutions.

Here’s what makes this urgent:

• 70+ fake domains impersonating canada.ca traffic portals discovered on shared infrastructur
• Threat actors are selling ready-made phishing kits on dark web forums for as little as $200-$300
• The operation targets every major Canadian province – BC (PayBC), Ontario (ServiceOntario), Quebec, and beyond
• Victims are losing banking credentials, credit card data, and Interac e-Transfer access
• The “PayTool” group has evolved from simple scams to mimicking entire government payment ecosystems

What’s particularly alarming is the sophistication: victims aren’t immediately asked for payment. Instead, they are walked through a “validation phase” requesting ticket numbers or booking references – building false trust before harvesting financial data through fake payment gateways that perfectly mimic legitimate processors.

The report reveals how this Phishing-as-a-Service model is democratizing fraud, with underground forums showing threat actors actively selling Ontario driver’s license phishing kits that claim to include “14 bank pages.”

This is a story with real public safety implications. As tax season approaches and travel increases, Canadians need to know how these scams operate and how to protect themselves.

Full technical report available here: https://www.cloudsek.com/blog/pivoting-from-paytool-tracking-various-frauds-and-e-crime-targeting-canada

 A new threat intelligence report from CloudSEK has been published. Their research team has uncovered how the MuddyWater APT group—a known state-linked threat actor—has significantly evolved its attack tooling by deploying a new Rust-based implant, which we’ve named “RustyWater.”

The report details an ongoing spear-phishing campaign targeting government, diplomatic, telecom, financial, and maritime organisations across the Middle East. What makes this campaign noteworthy is the group’s move away from its traditional PowerShell and VBS-based tools to a more stealthy, modular, and resilient Rust implant that enables long-term persistence and low-noise espionage—making detection and response far more challenging for defenders.

They break down both the technical mechanics and the broader security implications in a way that highlights why this evolution matters, especially for organisations relying on conventional security controls.

You can read the full report here:
https://www.cloudsek.com/blog/reborn-in-rust-muddywater-evolves-tooling-with-rustywater-implant

CloudSEK’s has published their latest research report highlighting an active and sophisticated phishing campaign targeting Indian users using income-tax themed lures.

Their analysis reveals how the Silver Fox threat actor is leveraging malicious ZIP and EXE files to deploy ValleyRAT, using techniques like process hollowing and abuse of trusted binaries to evade detection. The campaign is actively targeting individuals and organisations during the tax season, posing a serious risk to both personal and enterprise environments.

The report can be found here:  https://www.cloudsek.com/blog/silver-fox-targeting-india-using-tax-themed-phishing-lures

As millions of shoppers gear up for Black Friday and the holiday shopping season, CloudSEK, a global leader in AI-driven digital risk protection, has uncovered an alarming rise in fake online stores. 

The investigation reveals over 2,000 fraudulent holiday-themed e-commerce sites designed to exploit consumer trust by impersonating well-known retail brands, harvesting payment and personal data, and using aggressive urgency tactics – including recycled templates, fake social proof pop-ups, and typosquatted brand variations. This represents one of the most extensive seasonal fraud operations observed to date.

The research highlights two major phishing clusters:

• Cluster One: More than 750 interconnected potential fake storefronts, including over 170 Amazon-themed typosquatted domains alongside other potential retail mimicries. These sites use identical holiday templates with flipclock-style urgency timers, fake trust badges, and pop-ups simulating recent purchases along with usage of suspicious resources known for phishing and malware distribution. Payments are redirected to attacker-controlled shell checkout sites, facilitating stealthy financial theft.
• Cluster Two: Over 1,000 domains under the .shop TLD impersonating global brands such as Samsung, Jo Malone, Ray-Ban, Xiaomi, and others. This is indicated by observed phishing tactics of inducing urgency, false legitimacy, social engineering via fraudulent contact, along with misspellings etc. These sites replicate the same Black Friday/Cyber Monday template and fraudulent checkout process for financial fraud, indicating the use of a standardized phishing kit.

Researchers at CloudSEK have observed that these fake shops are likely promoted through short-lived social media ads, and SEO-optimised search results, along with possible propagation via WhatsApp and Telegram forwards, private deal communities, etc., increasing the risk that consumers encounter fraudulent sites before official brand pages.

Financial analysis shows these sites may potentially attract hundreds of visitors during narrow windows, convert 3-8% through urgency messaging, and generate $2,000–$12,000 per fraudulent store before takedown. 

Besides immediate financial loss, victims risk long-term identity theft from insecure data transmission. Brands face reputational damage, increased customer service burdens, and revenue loss from diverted sales.

Consumers should watch for warning signs such as unrealistic 70–90% discounts, flashy countdown timers, misspelt brand names in URLs, fake trust badges, suspicious checkout redirects, absence of official customer support contact, other misleading tactics, and repetitive templated layouts across multiple similar online storefronts. Shoppers are advised to navigate only to official brand websites or apps and retailers that don’t contain obvious potential indicators of an overall coordinated phishing campaign.

CloudSEK urges organisations in retail, electronics, beauty, and lifestyle sectors to monitor newly registered domains, track impersonation attempts, conduct social media scans for fraudulent promotions, and establish rapid takedown protocols.

Regulatory bodies and cybersecurity agencies can strengthen defenses by leveraging the WHOIS patterns, monitoring high-abuse ASNs and netblocks, partnering with ad networks to block scam ads, promoting public awareness campaigns, and enhancing coordination for swift scam cluster dismantling.

CloudSEK’s XVigil platform continuously monitors digital ecosystems for emerging threats, sharing intelligence to support timely mitigation. 

Note: References to third-party brands or company names in this report are solely for the purpose of illustrating observed impersonation or fraudulent activity conducted by threat actors. CloudSEK does not imply or suggest that any such third party is involved in, responsible for, or associated with the fraudulent activity.

Strengthening the UAE’s cybersecurity ecosystem, Seed Group, a company of The Private Office of Sheikh Saeed bin Ahmed Al Maktoum, has entered into a strategic partnership with CloudSEK, a leading AI-powered cybersecurity firm from India.

With this alliance, CloudSEK becomes part of Seed Group’s ecosystem of global innovators, marking a significant milestone for Indian-origin cybersecurity on the global stage. Founded in 2015 by threat researcher-turned-entrepreneur Rahul Sasi, CloudSEK is a leading AI-powered cyber threat intelligence platform focused on predicting and preventing cyber threats.

A Strategic Alliance for a Resilient Digital Future

Seed Group, recognised for catalysing the success of innovative businesses entering the UAE and GCC markets, will work with cyber threat intelligence firm CloudSEK to empower both public- and private-sector organisations with next-generation cyber risk-management capabilities.

This collaboration brings CloudSEK’s AI-powered Cyber Threat Intelligence technologies to the heart of the Middle East’s digital economy. The platform enables faster detection, contextual analysis, and mitigation of cyber threats before they escalate into incidents, offering a proactive approach to security.

As the UAE cements its position as a global hub for trade and innovation, the demand for advanced cybersecurity has never been higher. Through Seed Group’s deep regional insight and network, CloudSEK will address these needs with solutions that integrate threat intelligence, brand protection, attack-surface monitoring, and supply-chain security into a unified, intelligence-driven platform.

The Middle East cybersecurity market, valued at USD 16.75 billion in 2025, is projected to reach USD 26.04 billion by 2030, growing at a 9.2% CAGR. The region faces escalating threats, with the UAE alone confronting over 200,000 cyberattacks daily—34.9% targeting government entities, 21.3% financial firms, 14% energy sectors, and 11.6% insurance companies. The financial impact is severe: the average data breach cost in the Middle East reached USD 8.75 million in 2024, nearly 10% higher than in 2023, underscoring the urgent need for advanced, predictive cybersecurity solutions like those offered by CloudSEK.

CloudSEK’s approach goes beyond traditional detection and response. By continuously mapping an organisation’s external digital footprint, analysing vast data from open, deep, and dark-web sources, and delivering real-time, actionable intelligence, CloudSEK enables decision-makers to stay ahead of adversaries.

The company’s proprietary AI engine has proven its mettle by identifying and preventing large-scale data breaches for major financial institutions well ahead of an actual attack. By continuously analysing massive volumes of threat data across the digital ecosystem, CloudSEK delivers actionable intelligence across 170 use cases, offering comprehensive solutions in brand monitoring, digital risk protection, attack surface monitoring, and supply chain security. The top cyber threat intelligence cloud provider, CloudSEK, helps major companies around the world spot and address cyber threats to reduce risks to their operations, finances, and reputation.

Its technology helps enterprises and governments across the world mitigate risks, strengthen cyber-resilience, and build digital trust—protecting reputation, revenue, and operations in an era of borderless cyber threats.

A Global Vote of Confidence in Indian Cybersecurity

CloudSEK’s success highlights India’s evolution from a services-led technology hub to a global originator of cybersecurity innovation.

This partnership not only accelerates CloudSEK’s presence in the Middle East but also represents a broader trend: nations and enterprises worldwide are increasingly looking to Indian firms for sophisticated, scalable, and affordable cybersecurity intelligence.

CloudSEK, a leading cybersecurity firm, has exposed a sophisticated China-based operation selling high-quality counterfeit U.S. and Canadian driver’s licenses and Social Security Number (SSN) cards, posing a severe threat to national security, financial systems, and public trust.

The investigation, conducted by CloudSEK’s STRIKE team, uncovered a sprawling network of 83+ interconnected domains supported by 24/7 WeChat customer support, custom order flows, and multiple payment channels. Analysis of the exfiltrated database revealed over 6,500 counterfeit licenses sold to 4,500+ buyers, generating more than $785,000 in revenue. 

A Hidden Threat Undermining Trust

Counterfeit IDs aren’t just tools for underage drinking—they enable serious crimes, including illegal firearm purchases, SIM-swap fraud, large-scale logistics misuse, and even election interference. CloudSEK researchers confirmed that the IDs, priced as low as $65 in bulk, are fully scannable and replicate advanced security features such as holograms, UV markings, laser engraving, and relief printing, making them nearly indistinguishable from genuine documents.

“This isn’t just about fake IDs – this is about a systematic attack on the foundation of trust that underpins our financial, legal, and civic systems,” said Sourajeet Majumder, security researcher at CloudSEK STRIKE. “When a single counterfeit license can enable unauthorized drivers, bypass compliance checks, or facilitate smuggling, we’re looking at a genuine national security threat.”

Sophisticated Operations

The threat actor demonstrated remarkable sophistication:

• Shell E-commerce Sites: Transactions were routed through fake online stores (clothing, shoes, accessories) to mask payments via PayPal, LianLian Pay, and cryptocurrencies.
• Covert Packaging: IDs were shipped globally via FedEx, USPS, DHL, and Canada Post, hidden inside toys, purses, or layered cardboard with camouflage stickers to evade detection. Tutorial videos guided buyers on retrieving concealed IDs.
• Systemic Misuse: One buyer linked to two trucking companies with revoked U.S. operating authorities purchased 42 counterfeit commercial driver’s licenses—highlighting risks to transportation safety and regulatory integrity.
• High-Confidence Attribution: Through HUMINT and OSINT, CloudSEK pinpointed the actor’s exact geolocation in Xiamen, Fujian, China and obtained a facial image via webcam capture. 
   

Key Findings

• Massive Scale: Over 6,500 fake IDs sold, with dense clusters of buyers in New York, Pennsylvania, Florida, Georgia, Ontario, and British Columbia.
• Financial Footprint: $785,000+ generated through PayPal, LianLian Pay, Bitcoin, Ethereum, and Western Union.
• Age Analysis: Nearly 60% of buyers were above 25 years old, signaling intentions beyond casual misuse.
• Marketing Tactics: The network promoted IDs via Meta Ads, TikTok, Telegram, and YouTube, openly advertising uses like passing police checks, renting cars, or accessing benefits.
   

Real-World Consequences

The implications are far-reaching:

• National Security: Fake IDs can bypass airport, border, and law enforcement checks.
• Financial Fraud: Scannable IDs enable SIM swaps and account takeovers.
• Election Integrity: IDs can be exploited for mail-in ballot and voter registration fraud.
• Logistics & Trafficking Risks: Fake commercial driver’s licenses allow unlicensed operators to bypass U.S. Department of Transportation checks.
   

A Call to Action

CloudSEK urges urgent global action:

• Law Enforcement: Seize the 83+ domains and pursue legal action using attribution evidence.
• Courier Vigilance: Alert FedEx, USPS, and DHL to the covert packaging tactics.
• Payment Processors: Trace and freeze illicit accounts across PayPal, Western Union, and crypto platforms.
• Continuous Monitoring: Deploy threat intelligence platforms like CloudSEK’s XVigil for proactive detection.
   

For More Information, Read The Full Report

CloudSEK’s latest research reveals a novel cyber threat that exploits the trust users place in AI summarization tools, turning them into unintentional delivery mechanisms for ransomware.

The report, titled “Trusted My Summarizer, Now My Fridge Is Encrypted,“ demonstrates how attackers can use invisible prompt injection and prompt overdose techniques to manipulate AI-powered summarizers embedded in email clients, browsers, and productivity apps. By embedding malicious payloads in HTML with CSS-based obfuscation (such as white-on-white text, zero-width characters, and off-screen rendering), attackers can trick AI summarizers into reproducing ClickFix-style step-by-step ransomware instructions in their summaries.

Key Findings

• Invisible Prompt Injection: Attackers hide malicious text in HTML using CSS tricks, invisible to humans but fully interpretable to AI summarizers.
• Prompt Overdose: Payloads are repeated dozens of times, overwhelming the summarizer’s context window and ensuring attacker instructions dominate outputs.
• Weaponized Summarizers: When users rely on summarizers to triage content, the AI may unknowingly echo back attacker-controlled ransomware steps as trusted advice.
• Real-World Proof-of-Concept: CloudSEK successfully demonstrated how hidden payloads can instruct users to run Base64-encoded PowerShell commands simulating ransomware delivery.
• Amplified Social Engineering: Because instructions appear to come from a trusted AI assistant rather than an external actor, the likelihood of compliance is significantly higher. 

Potential Impact

1. Mass Amplification of Attacks — Summarizers in email previews, search snippets, and browser extensions could echo attacker payloads at scale.
2. Lower Barrier for Ransomware Execution — Even non-technical users could be tricked into executing ransomware payloads.
3. SEO-Driven Threat Multiplication — Poisoned blogs, forums, and indexed content could spread malicious instructions widely.
4. Enterprise Risks — Internal copilots and summarizers could inadvertently relay attacker steps into trusted business workflows.
5. Operational & Reputational Harm — Ransomware incidents delivered via trusted AI tools may cause higher compliance rates, longer downtimes, and financial losses.

Mitigation Strategies

CloudSEK recommends immediate defensive measures, including:

• Client-Side Sanitization — Strip suspicious CSS elements (opacity:0, zero-width, white-on-white) before processing.
• Prompt Filtering — Detect and neutralize hidden meta-instructions or excessive repetition.
• Payload Detection — Use heuristics to identify encoded commands and malicious patterns.
• User Awareness & Safeguards — Summarizers should indicate whether steps originate from visible or hidden content.
• Enterprise AI Policy Enforcement — Organizations must screen inbound HTML/documents for hidden text before ingestion.
   

Cybersecurity intelligence firm CloudSEK has uncovered one of the most extensive and profitable malware delivery operations in recent history — a Pakistan-based, family-linked network that has weaponized software piracy to launch infostealer attacks on millions of victims worldwide.

The investigation, published in CloudSEK’s latest report, “The Anatomy of an Attack: Pakistan-Based Infostealer Delivery Network Exposed“, offers an unprecedented inside look into how a sprawling network of operators, affiliates, and infrastructure turned cracked software demand into a multi-million-dollar cybercrime business.

From Pirated Software to Global Infections

The syndicate’s primary lure was Search Engine Optimization (SEO) poisoning and forum spam on legitimate online communities. By posting links to cracked versions of high-demand software — such as Adobe After Effects and Internet Download Manager (IDM) — they funneled unsuspecting users to a maze of malicious WordPress sites. 

These sites distributed commodity infostealers, including Lumma Stealer, Meta Stealer, and, more recently, AMOS, concealed inside password-protected archives to evade detection.

In addition to SEO and forum spam, the operators also ran paid ads through legitimate traffic services to drive even more users to their malicious domains. This allowed them to blend malicious activity with normal web marketing traffic, making detection and takedown far more difficult.

Once installed, the malware exfiltrated credentials, browser data, cryptocurrency wallets, and other sensitive information — data that was later monetized through resale and secondary fraud.

Meanwhile, ahead of India’s 79th Independence Day (August 2025), hacktivist groups and cybercriminals launched coordinated attacks targeting government, finance, and defense sectors. Fueled by the Pahalgam terror attack, threat actors from Pakistan, China, and others executed over 4,000 incidents, including phishing, fake websites, data breaches, and scams. APT groups like APT36 and APT41 deployed credential theft campaigns. Citizens are urged to stay alert and report suspicious activity.

CloudSEK’s research team has, in parallel, exposed an ongoing campaign by Pakistan targeting the Indian government and critical infrastructure ahead of Independence Day. Read the full analysis here: https://www.cloudsek.com/blog/cybersecurity-in-focus-recent-threats-targeting-india-amid-independence-day-celebrations

Key Findings from CloudSEK’s Investigation

Scale & Reach

• 5,239 registered affiliates operated 3,883 malware distribution sites.
• Generated 449 million clicks and 1.88 million documented installs over the observed period.
• Estimated lifetime revenue of $4.67 million, with actual earnings likely higher due to undocumented “off-ledger” settlements.

Financial Operations

• Between May and October 2020 alone, the network paid out $130,560.53 to affiliates at an average Effective Cost Per Install (eCPI) of $0.0693.
• Top affiliates captured over 45% of total payouts.
• Preferred payment method: Payoneer (67%), followed by Bitcoin (31%) — a rare case of cybercriminals leaning on traditional financial channels to disguise illicit activity.
   

Organizational Structure

• Operated primarily out of Bahawalpur and Faisalabad, Pakistan.
• Multiple operators shared the same family surname, suggesting a multi-generational, family-run cybercrime syndicate.
• Divided roles between primary operators (network management & finances), affiliates (traffic generation via warez sites), and financial facilitators (handling payouts and settlements).

Evolving Tactics

Shifted from “install-based” monetization in 2020 to download-focused campaigns by 2021, likely to evade detection.

Maintained 383 long-haul domains active for over a year, accounting for 85% of total installs, alongside hundreds of short-lived throwaway domains using disposable TLDs (.cfd, .lol, .cyou).

“The magnitude of this operation is staggering — 449 million clicks, millions of installs, and over 10 million potential victims whose personal data, credentials, and financial information have been stolen and sold. Beyond the numbers, the real damage is in the ripple effect: stolen credentials used for identity theft, online fraud, and corporate breaches,” Ravi added.

A Rare Breakthrough: When Hackers Get Hacked

The turning point in the investigation came when the operators themselves were infected with infostealer malware. Their own logs — containing admin credentials, payout histories, and internal communications — were exfiltrated and analyzed by CloudSEK’s TRIAD team.

This unique dataset provided:

• Full access to InstallBank’s backend, including SQLi vulnerabilities that revealed the affiliate ledger and payment history.
• Affiliate account credentials for the secondary network, SpaxMedia (later rebranded as Installstera), exposing payout dashboards, domain configurations, and marketing materials.
• Direct attribution linking multiple operators to specific domains, payment accounts, and social media profiles.

The Monetization Engine: Two PPI Networks

CloudSEK identified two interconnected Pay-Per-Install (PPI) networks at the core of the operation:

• InstallBank.com — Active since 2018, offline as of August 2025. Managed thousands of affiliates, with a highly lucrative payout structure.
• SpaxMedia → Installstera.com — Launched in 2022, briefly suspended in 2024, and relaunched in early 2025 using the same codebase and user base.

Together, these networks paid affiliates per successful malware installation or download. Operators used SEO marketing, warez distribution sites, and paid social media ads to drive traffic to their payloads.

Global Victimology & Impact

While the campaign’s infrastructure was Pakistan-centric, its victim base was global. The primary targets were individuals seeking pirated software — a demographic that often bypasses security warnings and disables antivirus software, making them high-risk.

CloudSEK estimates that with an average resale price of $0.47 per stolen credential log, the network’s total impact could extend to over 10 million victims worldwide.

Strategic Implications for Law Enforcement & Industry

This case demonstrates that major cybercrime enterprises can — and do — operate in plain sight, using:

• Legitimate financial services (e.g., Payoneer, Bitcoin exchanges with weak KYC).
• Public-facing marketing tactics (SEO, Facebook ads, community forum posts).
• Persistent infrastructure capable of surviving takedowns for years.

CloudSEK recommends a multi-pronged disruption strategy combining:

• Domain takedowns targeting the 383 long-haul sites.
• Financial interdiction in collaboration with Payoneer and other processors.
• Search engine de-indexing of warez sites hosting malware.
• User education campaigns warning about cracked software risks.
   

Download the Full Report

The complete investigation, including detailed Indicators of Compromise (IOCs), infrastructure mapping, and payment analysis, is available here: Download Full Report