The Dark Side of Fame: Pakistani Actors and Malware Distribution

A sophisticated cybercriminal network based in Pakistan has launched more than 300 cracking websites since 2021, targeting users seeking pirated software with information-stealing malware. This operation is one of the largest documented cases of coordinated malware distribution through seemingly legitimate software portals, impacting both corporate and individual users worldwide.

The Dark Side of Fame: Pakistani Actors and Malware DistributionThe Dark Side of Fame: Pakistani Actors and Malware Distribution

The network exploits the allure of free software, tricking victims into downloading malicious executables disguised as activation tools. Once executed, these payloads steal browser credentials, cryptocurrency wallets, and sensitive data, sending the information to command-and-control servers.

The campaign employs advanced techniques, including search engine optimization and Google Ads, to attract victims searching for cracked software. 

The Dark Side of Fame: Pakistani Actors and Malware DistributionThe Dark Side of Fame: Pakistani Actors and Malware Distribution

Analysts from Intrinsec traced the operation back to domains like kmspico.io, revealing a network of Pakistani freelancers who may have been unaware of the malicious intent behind their projects.

The operation relies on a centralized DNS infrastructure, primarily using ns1.filescrack.com, and is hosted by a Pakistani provider, 24xservice. Domain registration records link to real identities, indicating security lapses that allowed for attribution. The malware distribution is monetized through InstallPP, a pay-per-install service, highlighting the professional nature of this cybercrime network.