Pakistan-Based Malware Network Targeting Millions Globally: CloudSEK

Cybersecurity vendor CloudSEK has claimed to have uncovered what the company describes as one of the most extensive and profitable malware delivery operations in recent history — a Pakistan-based, family-linked network using software piracy to launch infostealer attacks on millions worldwide. The investigation has revealed how such syndicates operate and how they use legitimate tools and services to further their nefarious goals.

The Pakistan-based syndicate’s primary lure was search engine optimisation (SEO) poisoning and forum spam on legitimate online communities. By posting links to cracked versions of high-demand software — such as Adobe After Effects and Internet Download Manager — they funnelled unsuspecting users to a maze of malicious WordPress sites. 

These sites distributed commodity infostealers, including Lumma Stealer, Meta Stealer, and, more recently, AMOS, concealed inside password-protected archives to evade detection.

In addition to SEO and forum spam, the operators also ran paid ads through legitimate traffic services to drive even more users to their malicious domains. This allowed them to blend malicious activity with normal web marketing traffic, making detection and takedown far more difficult.

Once installed, the malware exfiltrated credentials, browser data, cryptocurrency wallets, and other sensitive information. This data was later monetised by the criminal syndicate through resale and secondary fraud.

According to CloudSEK, 5,239 registered affiliates operated 3,883 malware distribution sites. These generated 449 million clicks and 1.88 million documented installs over the observed period. The security vendor expected that the criminal syndicate earned an estimated lifetime revenue of $4.67 million, with actual earnings likely to be higher due to undocumented “off-ledger” settlements.

Between May and October 2020 alone, the network paid out $130,560.53 to affiliates at an average Effective Cost Per Install (eCPI) of $0.0693. The criminal syndicate operated primarily out of Bahawalpur and Faisalabad, Pakistan, with multiple operators sharing the same family surname, suggesting a multi-generational, family-run operation.

The investigation revealed that the criminals shifted from ‘install-based’ monetisation in 2020 to download-focused campaigns by 2021, likely to evade detection. They used 383 long-haul domains active for over a year, accounting for 85% of total installs, alongside hundreds of short-lived throwaway domains. The syndicate paid affiliates per successful malware installation or download. Operators used SEO marketing, warez distribution sites, and paid social media ads to drive traffic to their payloads.

“This is not a small-time hacking group. It’s an industrial-scale cybercrime enterprise that has been operating for years, infecting millions of devices across the globe. By hijacking the demand for pirated software, they have turned unsuspecting users into a steady revenue stream. Beyond the numbers, the real damage is in the ripple effect: stolen credentials used for identity theft, online fraud, and corporate breaches,” said Nivya Ravi, director of products, CloudSEK.

The turning point in the investigation came when the operators themselves were infected with infostealer malware. Their own logs, containing admin credentials, payout histories, and internal communications, were exfiltrated and analysed by CloudSEK’s TRIAD team.

According to CloudSEK, this case demonstrates that major cybercrime enterprises can — and do — operate in plain sight, using legitimate financial services such as Payoneer or Bitcoin exchanges with weak KYC, as well as public-facing marketing tactics, including SEO, Facebook ads and community forum posts.