Inside the Malware Network: How Over 300 Pakistani Cracking Sites Are Spreading Global Info-Stealer Threats

By /

Listen to this Post

Featured Image

A Hidden Cybercrime Industry with Global Reach

A sweeping cyber investigation has revealed a deeply entrenched and fast-evolving network of over 300 malicious websites run by Pakistani cybercriminals. These sites are part of a larger operation focused on distributing info-stealing malware to unsuspecting victims around the world. What started as freelance web development gigs has turned into an organized, monetized malware ecosystem. The hackers behind it operate with little fear of legal consequences, exploiting a global demand for pirated software, advanced SEO strategies, and lack of cross-border law enforcement collaboration.

How the Cybercrime Machine Works

Investigators traced a recent corporate malware breach back to a popular cracked software site (kmspico[.]io). This one infection led cybersecurity experts down a rabbit hole of interconnected domains, all linked to a network based in Pakistan. These sites, including filescrack[.]com, function as gateways to install malware on users’ devices. Most of the domains are hosted by 24xservice, a provider based in Lahore, and belong to a specific IP range (185.216.143.0/24) entirely dedicated to malicious activity.

The individuals managing these sites appear to be freelance developers who transitioned from client-based web projects to building their own infrastructure for malware delivery. WHOIS data and associated emails link the domains directly to real Pakistani IT professionals, many of whom are listed publicly on local tech platforms.

These websites use aggressive SEO and Google Ads to attract users searching for pirated software. Once downloaded, the software quietly installs info-stealer malware designed to extract passwords, browser data, and login credentials. The stolen data is then sold on Telegram groups, dark web marketplaces, and hacker forums. From there, it’s used to launch more serious intrusions like ransomware attacks and corporate espionage.

The networkā€™s strength lies in its financial structure. It uses pay-per-install (PPI) programs, where operators are paid per successful malware installation. These models incentivize widespread distribution. Screenshots and internal messages reveal the use of services like the now-defunct installpp[.]com, with ongoing coordination in Hindi and Urdu among participants.

This operation isnā€™t isolated.

Cybersecurity experts urge companies to block identified indicators of compromise (IOCs), raise employee awareness about cracked software risks, and enhance monitoring of outbound traffic to prevent infection.

What Undercode Say:

A Sophisticated Cyber Threat Built on Freelance Roots

This operation demonstrates how low-cost freelance talent can evolve into a large-scale cyber threat when driven by financial opportunity and lacking regulatory oversight. Pakistani freelancers, many from regions like Punjab, once took on legitimate gigs to build cracking websites. Over time, they refined their skills, built repeatable templates, and shifted their business model toward monetized malware delivery. Whatā€™s most alarming is the institutional nature of this transformation. These actors no longer function as scattered individuals but as organized units with hosting infrastructure, communication channels, and operational strategies.

Pay-Per-Install Fuels a Vicious Cycle

The use of PPI models supercharges this malware network. By tying financial rewards to successful infections, developers are incentivized to refine their tacticsā€”focusing on SEO, ad targeting, and software packaging. This structure mimics affiliate marketing but for cybercrime. It turns every website into a potential infection hub and every visitor into a financial opportunity. Unlike ransomware groups that require more advanced intrusion tactics, this ecosystem thrives on volume and automation.

Geopolitical Gaps Protect the Network

What allows this network to persist is not just technical sophistication but geopolitical insulation. The absence of extradition treaties means that Western authorities can identify but not prosecute offenders. Pakistanā€™s cooperation with Chinese cybersecurity entities further complicates matters. Intelligence sharing between these two nations may provide the local actors with insight on how to evade detection or redirect attention. Meanwhile, ties to Russian syndicates like FIN7 reveal a level of international coordination that suggests this is more than a regional nuisanceā€”it’s a global cybercrime player.

Aggressive SEO Tactics Target the Curious and the Vulnerable

Cracking websites thrive by preying on the natural human desire to avoid paying for expensive software. The perpetrators use polished SEO campaigns and Google Ads to push their domains to the top of search results. For the average user, these sites look legitimate enough to trust. But with just one download, malware is silently installed, data is stolen, and long-term compromise begins. The range of potential targets includes home users, businesses, and even government networksā€”anyone searching for free software becomes a target.

Cracking Culture Blurs Legal and Illegal Lines

One deeper issue at play is the normalization of cracked software in many online communities. From forums to YouTube tutorials, cracked apps are often portrayed as harmless hacks rather than serious security risks. This cultural blind spot is a major advantage for threat actors. As long as users continue to see cracking as a minor offense instead of an entry point for espionage or financial theft, the pool of victims will remain vast.

Infrastructure Tells the Story

The IP range used by 24xservice (185.216.143.0/24) is nearly monopolized by these malicious sites, suggesting that the hosting provider may either be complicit or extremely negligent. The central role of filescrack[.]com as a nameserver points to a centralized architecture, which makes the operation easier to rebuild after takedowns. Each new domain is simply plugged into the same backend. This gives the network resilience and speed, making it difficult for defenders to keep up.

Global Response Is Falling Short

Despite solid technical investigations and some domain seizures, international law enforcement remains a step behind. Without legal tools to prosecute, Western nations are stuck in a loop of takedown and rebuild. Meanwhile, the real players remain untouched, and their profits continue to grow.

šŸ” Fact Checker Results:

āœ… Over 300 cracking domains confirmed via WHOIS and IP data
āœ… Malware tied to info-stealer strains and linked to known PPI networks
āŒ No successful prosecution or international legal action reported

šŸ“Š Prediction:

Given the resilient architecture and international ties of this malware distribution network, it is likely to expand its operations in 2025. Expect more sophisticated social engineering techniques, deeper integration with Telegram and dark web channels, and broader targeting beyond software usersā€”potentially extending into browser extensions, gaming mods, and mobile app repacks. The absence of international legal pressure will embolden these actors to scale even further.

References:

Reported By: cyberpress.org
Extra Source Hub:
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

šŸ”JOIN OUR CYBER WORLD [ CVE News ā€¢ HackMonitor ā€¢ UndercodeNews ]

šŸ’¬ Whatsapp | šŸ’¬ Telegram

šŸ“¢ Follow UndercodeNews & Stay Tuned:

š• formerly Twitter šŸ¦ | @ Threads | šŸ”— Linkedin

Related posts:

  1. Japan and Europe Deepen High-Tech Alliance to Counter Chinaā€™s Influence
  2. Inside Educated Manticoreā€™s Latest Spear-Phishing Campaign: A Growing Global Cyber Threat
  3. French Cybercrime Crackdown: Four BreachForums Hackers Arrested in Coordinated Operation

Explore More: