Pakistani-based malware empire ‘punished’ software pirates with infostealers, earning millions of dollars in just five years – here’s how to stay safe

• Malware disguised as cracked software infected millions of devices through manipulated search results
• Affiliates in a pay-per-install network turned piracy into a global cybercrime business
• Attackers accidentally exposed their operation after being infected by the same malware

Pakistani-based cybercriminals have been linked to an operation that distributed infostealer malware disguised as cracked software, amassing millions of dollars over five years.

Reports from CloudSek claim the network, traced primarily to Bahawalpur and Faisalabad, functioned like a multi-level sales model, except the product was malicious code.

The group lured victims through search engine optimization poisoning and forum posts advertising pirated programs such as Adobe After Effects and Internet Download Manager.

Disposable domains masked the real source of malware

These listings redirected users to malicious WordPress sites, where malware like Lumma Stealer, Meta Stealer, and AMOS was embedded within password-protected archives.

The financial backbone of the operation was a pair of Pay-Per-Install (PPI) networks: InstallBank and SpaxMedia, later rebranded as Installstera.

Affiliates were paid for every successful malware install or download, with over 5,200 members operating at least 3,500 sites.

The tracked revenue exceeds $4 million, and payments were made primarily through Payoneer and Bitcoin.

The scale was large, with records showing 449 million clicks and more than 1.88 million installs during the documented period.

The campaign took a turn when the attackers themselves were infected by infostealer malware, exposing credentials, communications, and backend access to their own PPI systems.

This leak revealed strong indications of family involvement, with recurring surnames and shared accounts appearing throughout the infrastructure.

The group shifted strategy over time, moving from install-based tracking in 2020 to download-focused metrics in later years, a change which may have been aimed at evading detection or adapting to new monetization methods.

Long-running sites proved the most profitable, with a small fraction of domains generating the majority of installs and revenue.

Disposable domains with short lifespans were also used to distance the infection source from the final payload delivery.

This highlights the risks of pirated software, which often serves as the initial delivery method for such malware.

How to stay safe

• Avoid downloading cracked or pirated software, as it is a common method for delivering infostealer malware.
• Use legitimate software sources such as official developer websites and trusted distribution platforms.
• Keep security suites updated to detect and block known threats before they execute.
• Configure a firewall to prevent malicious programs from communicating with remote servers.
• Enable multi-factor authentication so stolen passwords alone cannot grant account access.
• Monitor bank, email, and online accounts regularly for signs of identity theft.
• Back up important data to secure offline or cloud storage to allow recovery after an attack.
• Stay informed about emerging cyber threats and suspicious domain activity.
• Be wary of offers that provide expensive software for free, as they often carry hidden security risks.

You might also like

• These are the best AI website builders around
• Take a look at our pick of the best internet security suites
• Hackers could take over millions of Dahua cameras because of two critical flaws