CloudSEK exposes malware delivery network weaponising software piracy

Cybersecurity intelligence firm CloudSEK has revealed details of a large-scale malware delivery operation traced to Pakistan. The investigation shows how a family-run syndicate exploited pirated software downloads to spread infostealers across the globe, targeting millions of unsuspecting users.

The findings are published in CloudSEK’s latest report The Anatomy of an Attack: Pakistan-Based Infostealer Delivery Network Exposed. The research highlights how the demand for cracked software was converted into a multimillion-dollar cybercrime business, involving affiliates, operators, and financial facilitators.

From pirated software to malware installs

The syndicate lured victims through Search Engine Optimisation (SEO) poisoning and forum spam. By advertising cracked versions of popular software, such as Adobe After Effects and Internet Download Manager, they redirected users to malicious WordPress sites. These sites hosted infostealers including Lumma Stealer, Meta Stealer and AMOS, often concealed in password-protected archives to bypass detection.

Paid ads on legitimate traffic services further increased reach, blending malicious campaigns with normal online advertising. Once installed, the malware extracted credentials, browser history, cryptocurrency wallets and other sensitive data, later sold on criminal marketplaces.

Independence Day attacks intensify

Ahead of India’s 79th Independence Day in August 2025, hacktivist groups and advanced persistent threat (APT) actors launched over 4,000 cyber incidents targeting government, finance and defence institutions. Motivated by the Pahalgam terror attack, groups from Pakistan and China, including APT36 and APT41, focused on credential theft and large-scale phishing campaigns. Authorities have urged citizens to remain vigilant and report suspicious online activities.

Key findings from CloudSEK

• Scale and reach: 5,239 affiliates managed 3,883 malware sites, generating 449 million clicks and 1.88 million installs. Lifetime revenue is estimated at USD 4.67 million.

• Financial operations: Between May and October 2020, USD 130,560 was paid out to affiliates. Payoneer was the preferred channel (67%), followed by Bitcoin (31%).

• Organisational structure: Based mainly in Bahawalpur and Faisalabad, the operation appeared to involve multiple family members sharing the same surname.

• Evolving tactics: The syndicate shifted from install-based to download-focused models in 2021 to reduce detection. They maintained 383 long-term domains, while hundreds of short-lived domains were cycled using lesser-known TLDs such as .cfd and .lol.

“This is not a small-time hacking group. It is an industrial-scale enterprise infecting millions of devices globally. By exploiting demand for pirated software, they have turned users into a steady revenue stream, generating millions of dollars,” said Nivya Ravi, Director of Products, CloudSEK.

When hackers became victims

A breakthrough in the investigation occurred when the operators themselves were infected with infostealer malware. Logs from their own devices exposed administrator credentials, affiliate ledgers, payment histories and internal communications. CloudSEK’s team was able to attribute individuals to domains, financial accounts and social media profiles, offering rare visibility into the workings of such networks.

Two pay-per-install networks formed the core of the monetisation engine: InstallBank, which has been offline since August 2025, and Installstera (previously SpaxMedia), relaunched earlier this year. These networks paid affiliates for every successful malware installation.

Global impact and implications

Although the infrastructure was Pakistan-centric, the victim base was global, primarily individuals downloading pirated software. With an average resale price of $0.47 per credential log, CloudSEK estimates the total impact could exceed 10 million victims.

“This investigation shows cybercrime no longer hides only in the dark web. It operates in plain sight, using SEO, legitimate payment processors and public forums. The scale and sophistication highlight the urgent need for coordinated, cross-border action,” Ravi added.

CloudSEK recommends a combined response, including domain takedowns, financial interdiction with Payoneer and Bitcoin exchanges, search engine de-indexing of malicious sites and user education campaigns warning against cracked software.

Read More:

PM Modi's Festive Bonanza - What next-gen GST reforms mean for Indian MSMEs

Canon India's Print Strategy: AI, Sustainability & Partner Growth with C Sukumaran

Backup as a Service in India rises as DPDPA reshapes data protection

Backup as a Service: Decoding India’s opportunity and reality