Pakistani hackers use pirated software to infect 1.88mn devices, steal credentials, earn $4.67mn: Report

A Pakistan-based cybercrime network has been linked to one of the largest and most profitable malware delivery operations uncovered in recent years, according to new research by cybersecurity intelligence company CloudSEK.

Family-linked syndicate in Bahawalpur and Faisalabad

The group, allegedly run by individuals connected through family ties in Bahawalpur and Faisalabad, is accused of exploiting demand for pirated software to distribute credential-stealing malware to millions of devices worldwide, the report highlighted.

Pirated software as a delivery channel

CloudSEK’s report,The Anatomy of an Attack: Pakistan-Based Infostealer Delivery Network Exposed, details how the syndicate used search engine optimisation (SEO) poisoning, forum spam, and paid advertising to push cracked versions of popular software, including Adobe After Effects and Internet Download Manager, via malicious WordPress sites. The sites concealed malware such as Lumma Stealer, Meta Stealer, and AMOS inside password-protected archives.

Scale of the operation

The operation is believed to have involved 5,239 registered affiliates and nearly 3,900 distribution sites, generating 449 million clicks and more than 1.88 million recorded installs. CloudSEK estimates the network’s tracked revenue at $4.67 million, though the actual figure is likely higher due to unrecorded transactions.

Payment records indicate affiliates were compensated via Payoneer (67 per cent) and Bitcoin (31 per cent), with the top earners taking in almost half of all payouts. In 2020 alone, more than $130,000 was paid to participants over a five-month period.

Investigators linked the operation to two interconnected pay-per-install networks, InstallBank.com, active from 2018 until this month, and SpaxMedia, later rebranded as Installstera.com. The campaign maintained hundreds of long-term domains alongside disposable short-lived addresses to evade takedowns.

Reportedly, a significant breakthrough occurred when the operators themselves were compromised by infostealer malware, revealing internal credentials, payment histories, and links between individuals, domains, and financial accounts.

Independence day cyberattack surge in India

CloudSEK’s findings also coincide with a spike in cyberattacks on Indian government bodies and critical infrastructure in the run-up to the country’s 79th Independence Day on 15 August 2025. According to the company’s parallel investigation, more than 4,000 incidents were recorded in the weeks before the celebrations, targeting sectors such as defence, finance, and administration. The surge followed heightened tensions after the Pahalgam terror attack.

Threat actors from Pakistan, China, and other countries are reported to have engaged in coordinated campaigns involving phishing emails, fraudulent websites, data breaches, and large-scale scams. Advanced Persistent Threat (APT) groups, including Pakistan-linked APT36 and China-based APT41, deployed credential theft operations aimed at harvesting sensitive government and corporate data.

Authorities have warned citizens to be vigilant and to report suspicious activity, as attackers have been using methods such as spoofed domains, fake mobile applications, and social engineering schemes to lure victims. The timing of the attacks indicates a strategic intent to cause disruption during a national event.

CloudSEK notes that the syndicate’s use of legitimate payment services, mainstream advertising channels, and public-facing forums demonstrates how such large-scale operations can function openly. It recommends targeted domain seizures, financial disruption in cooperation with payment processors, search engine de-indexing of malware-hosting sites, and public awareness drives to counter both ongoing and future threats.