TZUTC: -0500   
   MSGID: 1371.consprcy@1:2320/105 2d072dad   
   PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   FORMAT: flowed   
   Pakistani-based malware empire 'punished' software pirates with infostealers,   
   earning millions of dollars in just five years - here's how to stay safe   
      
   Date:   
   Sun, 17 Aug 2025 10:27:00 +0000   
      
   Description:   
   Cybercriminals in Pakistan ran a global malware empire using pirated    
   software, amassing vast profits while exposing victims data.   
      
   FULL STORY   
      
   Pakistani-based cybercriminals have been linked to an operation that   
   distributed infostealer malware disguised as cracked software, amassing   
   millions of dollars over five years.    
      
   Reports from CloudSek claim the network, traced primarily to Bahawalpur and   
   Faisalabad, functioned like a multi-level sales model, except the product was   
   malicious code.    
      
   The group lured victims through search engine optimization poisoning and    
   forum posts advertising pirated programs such as Adobe After Effects and   
   Internet Download Manager.   
      
   Disposable domains masked the real source of malware   
      
   These listings redirected users to malicious WordPress sites, where malware   
   like Lumma Stealer, Meta Stealer, and AMOS was embedded within   
   password-protected archives.    
      
   The financial backbone of the operation was a pair of Pay-Per-Install (PPI)   
   networks: InstallBank and SpaxMedia, later rebranded as Installstera.    
      
   Affiliates were paid for every successful malware install or download, with   
   over 5,200 members operating at least 3,500 sites.    
      
   The tracked revenue exceeds $4 million, and payments were made primarily   
   through Payoneer and Bitcoin.    
      
   The scale was large, with records showing 449 million clicks and more than   
   1.88 million installs during the documented period.    
      
   The campaign took a turn when the attackers themselves were infected by   
   infostealer malware, exposing credentials, communications, and backend access   
   to their own PPI systems.    
      
   This leak revealed strong indications of family involvement, with recurring   
   surnames and shared accounts appearing throughout the infrastructure.    
      
   The group shifted strategy over time, moving from install-based tracking in   
   2020 to download-focused metrics in later years, a change which may have been   
   aimed at evading detection or adapting to new monetization methods.    
      
   Long-running sites proved the most profitable, with a small fraction of   
   domains generating the majority of installs and revenue.    
      
   Disposable domains with short lifespans were also used to distance the   
   infection source from the final payload delivery.    
      
   This highlights the risks of pirated software, which often serves as the   
   initial delivery method for such malware. How to stay safe Avoid downloading   
   cracked or pirated software, as it is a common method for delivering   
   infostealer malware. Use legitimate software sources such as official   
   developer websites and trusted distribution platforms. Keep security suites   
   updated to detect and block known threats before they execute. Configure a   
   firewall to prevent malicious programs from communicating with remote    
   servers. Enable multi-factor authentication so stolen passwords alone cannot   
   grant account access. Monitor bank, email, and online accounts regularly for   
   signs of identity theft . Back up important data to secure offline or cloud   
   storage to allow recovery after an attack. Stay informed about emerging cyber   
   threats and suspicious domain activity. Be wary of offers that provide   
   expensive software for free, as they often carry hidden security risks.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/pakistani-based-malware-empire-punished   
   -software-pirates-with-infostealers-earning-millions-of-dollars-in-just-five-y   
   ears-heres-how-to-stay-safe   
      
   $$   
   --- SBBSecho 3.28-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700   
   SEEN-BY: 226/30 227/114 229/110 111 114 206 300 307 317 400 426 428   
   SEEN-BY: 229/470 664 700 705 266/512 291/111 320/219 322/757 342/200   
   SEEN-BY: 396/45 460/58 712/848 902/26 2320/0 105 304 3634/12 5075/35   
   PATH: 2320/105 229/426