Pakistani Hackers Operate 300+ Cracking Websites to Spread Info-Stealer Malware

A recent technical investigation has uncovered a sophisticated network of over 300 cracking websites operated by Pakistani threat actors, purpose-built to distribute info-stealer malware to victims worldwide.

The infrastructure, traced through domain registration records and hosting data, reveals a coordinated effort by Pakistani freelancers and web developers, many of whom have transitioned from freelance gigs to institutionalized operations.

These actors leverage pay-per-install (PPI) models, reminiscent of the Cryptbot malware ecosystem, to maximize financial gain from malware propagation.

Technical Infrastructure

The investigation began with the analysis of a stealer compromise affecting a corporate client, where the infection vector was identified as a cracked software website (kmspico[.]io).

Further research into associated domains, IP addresses, and WHOIS records revealed a cluster of websites registered and managed by individuals in Pakistan.

Notably, the domain filescrack[.]com emerged as a central component, functioning as a nameserver for more than 300 cracking websites since 2021.

The majority of these sites are hosted by 24xservice, a provider with infrastructure located in Lahore, Pakistan (AS57717), whose IP range (185.216.143.0/24) is almost exclusively dedicated to such malicious activity.

The WHOIS records and email addresses associated with these domains point to real identities of Pakistani freelancers, some of whom are publicly listed on IT community websites in Sargodha, Punjab.

According to Intrinsec Report, these individuals, initially operating as independent web developers, appear to have built portfolios by accepting projects to develop cracking websites, later distancing themselves from direct involvement as their operations matured.

Malware Delivery

These cracking websites serve as initial access vectors for info-stealer malware. Unsuspecting users, often seeking pirated software, are lured by aggressive SEO tactics and Google Ads campaigns.

Upon downloading and executing the cracked software, their credentials are harvested and sold on cybercrime forums, Telegram channels, and dark web marketplaces.

The compromised credentials are then used for further intrusions, including ransomware deployment and corporate espionage.

A key aspect of this ecosystem is the integration of pay-per-install networks, such as the now-defunct installpp[.]com.

Freelancers and site operators receive commissions based on the volume and geographic distribution of successful malware installations, incentivizing the proliferation of these malicious sites.

Communication logs and screenshots confirm the use of such PPI services, with discussions in Hindi and Urdu indicating ongoing collaboration and technical adjustments among network members.

The Pakistani cybercrime ecosystem has grown increasingly complex, with observed ties to both Chinese and Russian entities.

Intelligence sharing and cybersecurity cooperation between Pakistan and China have intensified, while Russian actors such as FIN7 have been linked to similar PPI-based malware distribution models.

Despite periodic takedowns and domain seizures by Western authorities, prosecution remains elusive due to the absence of an extradition treaty between Pakistan and the US or EU. As a result, threat actors can quickly rebuild infrastructure, perpetuating the threat.

This analysis underscores the persistent risk posed by Pakistani-based cracking websites delivering info-stealer malware.

The combination of technical expertise, monetization strategies, and geopolitical insulation enables these actors to operate at scale, targeting victims globally.

Organizations are urged to block the identified indicators of compromise (IOCs), enhance employee awareness, and monitor for suspicious outbound connections to mitigate exposure.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates