A massive cybercrime operation based in Pakistan has been exposed after running a sophisticated infostealer malware campaign for five years, generating over $4 million by targeting software pirates.
Operation details
The criminal network, primarily operating from Bahawalpur and Faisalabad, functioned like a multi-level marketing scheme but distributed malicious code instead of legitimate products. According to research, the group used search engine optimisation poisoning and forum posts to advertise pirated software such as Adobe After Effects and Internet Download Manager.
Victims were redirected to malicious WordPress sites where infostealer malware, including Lumma Stealer, Meta Stealer, and AMOS was hidden within password-protected archives. The operation utilised disposable domains to mask the true source of infections, making detection more difficult.
Financial infrastructure
The scheme's backbone consisted of two Pay-Per-Install (PPI) networks: InstallBank and SpaxMedia (later rebranded as Installstera). Over 5,200 affiliates operated at least 3,500 sites, earning payments for each successful malware installation or download. Payments were processed primarily through Payoneer and Bitcoin.
The scale was enormous, with records showing 449 million clicks and more than 1.88 million installations during the documented period. Long-running domains proved most profitable, with a small fraction generating the majority of revenue.
Downfall and exposure
The operation was accidentally exposed when the attackers themselves became infected by infostealer malware, revealing credentials, communications, and backend access to their own systems. This breach uncovered evidence of family involvement, with recurring surnames and shared accounts throughout the infrastructure.
The group evolved their tactics over time, shifting from install-based tracking in 2020 to download-focused metrics in later years, possibly to evade detection or adapt monetisation methods.
How to stay safe
- Avoid cracked or pirated software; rely on official developer sites and reputable distributors to prevent infostealer exposure at the source.
- Keep security suites updated and configure firewalls to block outbound C2 communication, reducing post-compromise impact if malware executes.
- Enable multi-factor authentication so stolen credentials are insufficient for account takeovers, and monitor accounts for identity-theft signals.
- Maintain offline or secure cloud backups for recovery, stay alert to suspicious domain activity, and distrust “free” offers for expensive software that often hide hidden risks.
