Cybersecurity intelligence firm CloudSEK has uncovered one of the most extensive and profitable malware delivery operations in recent history — a Pakistan-based, family-linked network that has weaponized software piracy to launch infostealer attacks on millions of victims worldwide.
The investigation, published in CloudSEK’s latest report, “The Anatomy of an Attack: Pakistan-Based Infostealer Delivery Network Exposed”, offers an unprecedented inside look into how a sprawling network of operators, affiliates, and infrastructure turned cracked software demand into a multi-million-dollar cybercrime business.
The syndicate’s primary lure was Search Engine Optimization (SEO) poisoning and forum spam on legitimate online communities. By posting links to cracked versions of high-demand software — such as Adobe After Effects and Internet Download Manager (IDM) — they funneled unsuspecting users to a maze of malicious WordPress sites.
These sites distributed commodity infostealers, including Lumma Stealer, Meta Stealer, and, more recently, AMOS, concealed inside password-protected archives to evade detection.
In addition to SEO and forum spam, the operators also ran paid ads through legitimate traffic services to drive even more users to their malicious domains. This allowed them to blend malicious activity with normal web marketing traffic, making detection and takedown far more difficult.
Once installed, the malware exfiltrated credentials, browser data, cryptocurrency wallets, and other sensitive information — data that was later monetized through resale and secondary fraud.
Meanwhile, ahead of India’s 79th Independence Day (August 2025), hacktivist groups and cybercriminals launched coordinated attacks targeting government, finance, and defense sectors. Fueled by the Pahalgam terror attack, threat actors from Pakistan, China, and others executed over 4,000 incidents, including phishing, fake websites, data breaches, and scams. APT groups like APT36 and APT41 deployed credential theft campaigns. Citizens are urged to stay alert and report suspicious activity.
CloudSEK’s research team has, in parallel, exposed an ongoing campaign by Pakistan targeting the Indian government and critical infrastructure ahead of Independence Day.
Scale & Reach
5,239 registered affiliates operated 3,883 malware distribution sites.
Generated 449 million clicks and 1.88 million documented installs over the observed period.
Estimated lifetime revenue of $4.67 million, with actual earnings likely higher due to undocumented “off-ledger” settlements.
Financial Operations
Between May and October 2020 alone, the network paid out $130,560.53 to affiliates at an average Effective Cost Per Install (eCPI) of $0.0693.
Top affiliates captured over 45% of total payouts.
Preferred payment method: Payoneer (67%), followed by Bitcoin (31%) — a rare case of cybercriminals leaning on traditional financial channels to disguise illicit activity.
Organizational Structure
Operated primarily out of Bahawalpur and Faisalabad, Pakistan.
Multiple operators shared the same family surname, suggesting a multi-generational, family-run cybercrime syndicate.
Divided roles between primary operators (network management & finances), affiliates (traffic generation via warez sites), and financial facilitators (handling payouts and settlements).
Evolving Tactics
Shifted from “install-based” monetization in 2020 to download-focused campaigns by 2021, likely to evade detection.
Maintained 383 long-haul domains active for over a year, accounting for 85% of total installs, alongside hundreds of short-lived throwaway domains using disposable TLDs (.cfd, .lol, .cyou).
“This is not a small-time hacking group — it’s an industrial-scale cybercrime enterprise that has been operating for years, infecting millions of devices across the globe. By hijacking the demand for pirated software, they have turned unsuspecting users into a steady revenue stream, generating at least $4.67 million in tracked income and potentially far more through unrecorded channels,” said Nivya Ravi, Director of Products, CloudSEK.
“The magnitude of this operation is staggering — 449 million clicks, millions of installs, and over 10 million potential victims whose personal data, credentials, and financial information have been stolen and sold. Beyond the numbers, the real damage is in the ripple effect: stolen credentials used for identity theft, online fraud, and corporate breaches,” Ravi added.
The turning point in the investigation came when the operators themselves were infected with infostealer malware. Their own logs — containing admin credentials, payout histories, and internal communications — were exfiltrated and analyzed by CloudSEK’s TRIAD team.
This unique dataset provided:
Full access to InstallBank’s backend, including SQLi vulnerabilities that revealed the affiliate ledger and payment history.
Affiliate account credentials for the secondary network, SpaxMedia (later rebranded as Installstera), exposing payout dashboards, domain configurations, and marketing materials.
Direct attribution linking multiple operators to specific domains, payment accounts, and social media profiles.
CloudSEK identified two interconnected Pay-Per-Install (PPI) networks at the core of the operation:
InstallBank.com — Active since 2018, offline as of August 2025. Managed thousands of affiliates, with a highly lucrative payout structure.
SpaxMedia → Installstera.com — Launched in 2022, briefly suspended in 2024, and relaunched in early 2025 using the same codebase and user base.
Together, these networks paid affiliates per successful malware installation or download. Operators used SEO marketing, warez distribution sites, and paid social media ads to drive traffic to their payloads.
While the campaign’s infrastructure was Pakistan-centric, its victim base was global. The primary targets were individuals seeking pirated software — a demographic that often bypasses security warnings and disables antivirus software, making them high-risk.
CloudSEK estimates that with an average resale price of $0.47 per stolen credential log, the network’s total impact could extend to over 10 million victims worldwide.
This case demonstrates that major cybercrime enterprises can — and do — operate in plain sight, using:
Legitimate financial services (e.g., Payoneer, Bitcoin exchanges with weak KYC).
Public-facing marketing tactics (SEO, Facebook ads, community forum posts).
Persistent infrastructure capable of surviving takedowns for years.
CloudSEK recommends a multi-pronged disruption strategy combining:
Domain takedowns targeting the 383 long-haul sites.
Financial interdiction in collaboration with Payoneer and other processors.
Search engine de-indexing of warez sites hosting malware.
User education campaigns warning about cracked software risks.
“This investigation shows that cybercrime today is no longer a dark-web-only phenomenon. It’s hiding in plain sight, using SEO, legitimate payment processors, and publicly accessible forums to operate with alarming efficiency. The scale and sophistication of this network underscore the urgent need for coordinated, cross-border action to dismantle such operations before they cause irreversible damage to individuals, businesses, and critical infrastructure,” said Nivya Ravi, Director of Products, CloudSEK.
𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲
𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬 👉 Facebook, LinkedIn, Twitter, Instagram
