Warning issued as new Pakistan-based malware group hits millions globally
Tempting people in with offers of pirated software, the network installs commodity infostealers, according to CloudSEK
Researchers at cybersecurity firm CloudSEK have issued a warning about a Pakistan-based malware syndicate carrying out infostealer attacks on millions of victims worldwide.
The group commands a sprawling network of operators, affiliates, and infrastructure, according to CloudSEK, adding up to a multi-million-dollar cyber crime business.
With many operators sharing the same family surname, researchers even suggested the group could be a multi-generational, family-run cyber crime outfit.
Their roles appear to be divided between primary operators - network management and finances - affiliates, generating traffic via warez sites, and financial facilitators handling payouts and settlements.
The group lures its victims in through Search Engine Optimization (SEO) poisoning and spam posted on legitimate online forums. Alongside this, the operators also ran paid ads through legitimate traffic services to drive even more users to malicious domains.
Blending malicious activity with normal web marketing traffic also made detection and takedown more difficult.
Links to cracked versions of high-demand software — such as Adobe After Effects and Internet Download Manager (IDM) — also led users to malicious WordPress sites.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
“This investigation shows that cyber crime today is no longer a dark-web-only phenomenon," said Nivya Ravi, director of products at CloudSEK.
"It’s hiding in plain sight, using SEO, legitimate payment processors and publicly accessible forums, to operate with alarming efficiency."
The WordPress sites distributed commodity infostealers, including Lumma Stealer, Meta Stealer, and, more recently, AMOS, all of which were concealed inside password-protected archives to evade detection.
Once installed, the malware exfiltrated credentials, browser data, cryptocurrency wallets, and other sensitive information — data that was later monetized through resale and secondary fraud.
A sprawling malware network
The CloudSEK research revealed that the network involved 5,239 registered affiliates operating 3,883 malware distribution sites. Its lifetime revenue is estimated to be at least $4.67 million - although it may well be more, thanks to undocumented 'off-ledger' settlements.
Between May and October 2020 alone, the network paid out $130,560 to affiliates at an average Effective Cost Per Install (eCPI) of $0.0693. Payments were made via Payoneer in two-thirds of cases, with Bitcoin accounting for almost all the rest.
CloudSEK believes that the network may have hit 10 million victims worldwide.
"This is not a small-time hacking group — it’s an industrial-scale cybercrime enterprise that has been operating for years, infecting millions of devices across the globe," said Ravi.
"By hijacking the demand for pirated software, they have turned unsuspecting users into a steady revenue stream."
The group launched a big campaign ahead of India’s Independence Day this month, with coordinated attacks targeting the government, finance and defense sectors and including phishing, fake websites, data breaches, and scams.
CloudSEK recommends a multi-pronged disruption strategy combining domain takedowns targeting the 383 long-haul sites, as well as a financial ban in collaboration with Payoneer and other payment processors.
Similarly, the company urged for search engine de-indexing of warez sites hosting malware and user education campaigns warning about cracked software risks.
"The scale and sophistication of this network underscore the urgent need for coordinated, cross-border action to dismantle such operations before they cause irreversible damage to individuals, businesses, and critical infrastructure,” said Ravi.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
Emma Woollacott is a freelance journalist writing for publications including the BBC, Private Eye, Forbes, Raconteur and specialist technology titles.
-
AWS hits back at EU cloud 'gatekeeper' designation hintsNews Gatekeeper designation under the legislation would force AWS and Microsoft to make concessions
-
Is the Top500 meaningless? Not so, says US national laboratory CTOIn-depth LINPACK may measure only one process, but there are real and meaningful use cases for exascale systems
-
‘This operation marked a shift in strategy’: Three notorious malware networks have been taken down using RICO legislationNews The action involved the use of US racketeering laws to treat two malware families as part of a single conspiracy
-
Duo accused of role in TfL cyber attack plead guilty after ‘lengthy, highly complex, and painstaking investigation’News Around 10 million people are believed to have been affected by the TfL cyber attack
-
Developers urged to remain vigilant amid continued Miasma malware risksNews The Miasma malware package uses legitimate OIDC tokens, making it indistinguishable from routine code updates
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
Hackers are turning up at law firms to gain physical access to machinesNews The FBI is warning companies to look out for fake IT staff
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
Tycoon 2FA is down, but not out – researchers warn the phishing as a service operation is still a huge threat to businessesNews Millions of Tycoon 2FA attacks are still hitting businesses, according to research from Barracuda
