- Malware disguised as a cracked software infected with millions of devices thanks to manipulated search results
- Affiliates in a payment network have transformed hacking into a global cybercrime company
- The attackers accidentally exposed their operation after being infected with the same malware
Pakistani cybercriminals have been linked to an operation that has distributed infoslered malware disguised as cracked software, amassing millions of dollars over five years.
Cloudsek reports claim the network, traced mainly in Bahawalpur and Faisalabad, worked as a several level sales model, except that the product was a malicious code.
The group attracted victims by poisoning the optimization of search engines and the publications of the advertising forum of hacked programs such as Adobe After Effects and Internet Download Manager.
Disposable areas have masked the real source of malicious software
These announcements redirected users to malicious WordPress sites, where malware like Lumma Stealer, Meta Stealer and Amos were integrated into password protected archives.
The financial dorsal thorn of the operation was a pair of perplexity remuneration networks (PPI): Instalbank and Spaxmedia, later renamed as a installation.
The affiliates were paid for each installation or download of successful malware, with more than 5,200 members operating at least 3,500 sites.
The turnover followed exceeds $ 4 million and the payments were mainly made by Payoneer and Bitcoin.
The scale was important, with recordings indicating 449 million clicks and more than 1.88 million facilities during the documented period.
The campaign took a turn when the attackers themselves were infected with the malware of infostaler, exhibiting identification information, communications and backend access to their own PPI systems.
This flight revealed strong indications for the involvement of the family, with recurring surnames and shared accounts appearing throughout the infrastructure.
The group has shifted the strategy over time, going from follow -up based on installation in 2020 to measures focused on download in recent years, a change that may have aimed to escape detection or adaptation to new monetization methods.
Long -term sites have proven to be the most profitable, with a small fraction of domains generating the majority of facilities and income.
Disposable areas with a short lifespan have also been used to distribute the source of infection of the final delivery of the payload.
This highlights the risks of hacked software, which often serves as an initial delivery method for such malicious software.
How to stay safe
- Avoid downloading cracked or hacked software, as it is a common method to deliver infostant malware.
- Use legitimate software sources such as the official developers’ websites and trust distribution platforms.
- Keep the updated safety suites to detect and block known threats before their execution.
- Configure a firewall to prevent malicious programs from communicating with remote servers.
- Activate multi-factory authentication so that stolen passwords cannot grant access to the account.
- Regularly monitor the bank’s accounts, emails and online for identity theft signs.
- Save the important data to secure offline storage or the cloud to allow recovery after an attack.
- Stay informed of emerging cyberrencies and suspicious activity in the field.
- Beware of offers that provide costly software for free, as they often have hidden security risks.
