How a Network of 300+ Malicious Websites Was Used by Pakistani Actors to Distribute Info-Stealing Malware

A sophisticated network of over 300 malicious websites designed to deliver info-stealing malware has been traced to a group of Pakistani freelancers, according to a January 2025 report by Intrinsec’s Cyber Threat Intelligence (CTI) team.

This network, centered around sites offering cracked or pirated software, is responsible for the initial compromise of employees at several major organizations, resulting in leaked credentials and opening the door to further cyberattacks, such as ransomware and espionage.

Technical Unmasking: From Cracking Sites to Credential Theft

At the heart of the campaign lies a consistent modus operandi: the use of professionally built “cracking” websites that claim to provide free downloads of otherwise paid software.

Analysis of WhoIs records from these domains reveals registration details, including confirmed email addresses, that lead to identifiable Pakistani freelancers specializing in web development and digital advertising.

Many were found to be working through freelance platforms before establishing more formal digital businesses.

A key domain, filescrack[.]com, has been linked to the same group since 2021. Notably, its nameservers have supported over 300 additional domains, each set up as a unique entry point for potential victims.

These websites are aggressively promoted through black hat SEO techniques and Google Ads campaigns, a method previously documented in the spread of infostealers like CryptBot.

When a user downloads and executes software from these sites, a stealer malware payload is delivered, effectively capturing credentials, browser session cookies, and other sensitive data.

Once exfiltrated, this data is quickly monetized: initially posted for sale on cybercrime forums, then traded over private Telegram channels or used as an initial access point for more damaging attacks inside corporate networks.

The Infrastructure: 24xservice Hosting Provider

Technical analysis shows the majority of these domains are hosted within the IP range 216.143[.]0/24, operated by 24xservice (AS57717).

This block, nearly filled with malicious cracking websites, offers low-cost and anonymous hosting, ideal for cybercriminal activity.

The hosting provider’s lack of robust customer verification and abuse handling further enables the network to operate with impunity, enabling domains to be rapidly rebuilt and redeployed even after takedowns.

Geopolitics and Legal Challenges

Intrinsec’s findings further underscore the shifting dynamics of Pakistan’s cyber landscape.

Pakistani actors have deepened collaborations with China regarding intelligence and emergency response, a partnership that complicates international efforts against cybercrime.

With no extradition treaty between Pakistan and the US, Pakistani individuals behind these operations are effectively shielded from Western law enforcement.

The most that can be done: seize domains and servers, a disruptive but only temporary tactic as the network inevitably springs back with fresh infrastructure.

Defensive Measures and Outlook

This campaign serves as a reminder of the segmented and professionalized nature of the malware ecosystem: freelancers provide infrastructure, traffickers drive traffic, and affiliates monetize infections.

For organizations, this means that focusing solely on malware detection is insufficient. Proactive measures, including continuous external asset monitoring, endpoint protection, user training, and regular credential leak checks, are essential.

Intrinsec’s CTI services now offer tailored threat intelligence feeds, digital risk monitoring, and brand protection to help organizations stay ahead of this evolving threat.

As stealer malware campaigns continue to use tactics honed in networks like this, only a comprehensive, intelligence-led defense can offer meaningful protection.