- Malware disguised as cracked software infected millions of devices through manipulated search results
- Affiliates in a payment installation network made piracy a global cybercrime business
- Attackers accidentally exposed their operation after being infected by the same malware
Pakistani-based cyber criminals have been linked to an operation that distributed infoTeals-malware disguised as cracked software that gathers millions of dollars over five years.
Reports from Cloudsk claim that the network is primarily tracked to Bahawalpur and Faisalabad served as a multi -level sales model, except that the product was malicious code.
The group lured victims through search engine optimization poisoning and forum posts advertising pirated programs such as Adobe After Effects and Internet Download Manager.
Disposable domains masked the real source of malware
These lists redirected users to malicious WordPress sites where malware such as Lumma Stealer, Meta Stealer and Amos were embedded in password-protected archives.
The financial backbone of the operation was a few Pay-Per installer (PPI) networks: Installbank and Spaxmedia, later redirected as Installstera.
Related companies were paid for any successful malware installation or download, with over 5,200 members operating at least 3,500 sites.
The tracked revenue exceeds $ 4 million and payments were primarily made through Payoneer and Bitcoin.
The scale was large with items showing 449 million clicks and more than 1.88 million installations in the documented period.
The campaign took a reversal when attackers themselves were infected by infoTeals malware that exposed credentials, communication and backend access to their own PPI systems.
This leak revealed strong indications of family involvement with recurring surnames and shared accounts displayed throughout the infrastructure.
The group changed strategy over time and moved from installation-based tracking in 2020 to download-focused measurements in recent years, a change that may have been aimed at avoiding detection or adaptation to new revenue methods.
Long -term places proved the most profitable, with a small fraction of domains that generate most of installations and revenue.
Disposable domains with short life were also used to remove the source of infection from the final delivery of payload.
This highlights the risk of pirated software that often acts as the initial delivery method for such malware.
How to remain safe
- Avoid downloading cracked or pirated software as it is a common method of supplying infoTeals -Malware.
- Use legitimate software sources such as official developer sites and trusted distribution platforms.
- Keep security suites up to date to detect and block known threats before performing.
- Configure a firewall to prevent malicious programs from communicating with remote servers.
- Enable Multi-Factor Authorization so that stolen passwords alone cannot provide access to account.
- Monitor Bank, E email and online accounts regularly for signs of identity theft.
- Backups important data to secure offline or sky storage to allow improvement after an attack.
- Keep informed of new cyber threats and suspicious domain activity.
- Be careful about offers that provide expensive software for free as they often carry hidden security risks.
