Cracked Software Danger: Report Exposes Pakistani Freelancers Building Websites to Deliver Stealer Malware
Ddos 
In an era where cracked software often disguises cyber threats, a new report from Intrinsec exposes the infrastructure behind the scenes: an ecosystem of Pakistani freelancers unknowingly or willingly building websites used to deliver stealer malware. According to the report, “many of our client’s employees fall prey to stealer compromises” through cracked software portals, opening corporate doors to espionage and ransomware.
This investigation not only uncovers the infrastructure of these stealer distribution hubs but also highlights the global inaction caused by geopolitical loopholes.
The report links Pakistani web developers—often freelance professionals from regions like Sargodha—to a network of websites that serve cracked software laced with malware. These freelancers, whose identities were partially uncovered through WhoIs records and social media traces, appear to operate under a “pay-per-install model for financial gains”. This model resembles the operations of the Cryptbot criminal enterprise previously detailed by Google and Intrinsec.
The shift from legitimate freelance work to building malicious sites may stem from the need to build a portfolio quickly. As Intrinsec notes, “Pakistani freelancers may not be cautious or regardant on the types of projects offered to them”—a vulnerability cybercrime clients are clearly exploiting.
At the core of this network is the domain filescrack[.]com, a recurring name server in over 300 cracking websites since 2021. This infrastructure was maintained through the Pakistani hosting provider 24xservice[.]com (AS57717), which Intrinsec reveals is “almost full of cracking websites” within the IP range 185.216.143[.]0/24.
What’s more, the domain registration and server management were tied to email addresses linked directly to identified Pakistani freelancers. Some even evolved to operate their own web development businesses, seemingly shifting away from illicit projects after building a reputation.
Another alarming discovery in the report is the use of a now-defunct website, installpp[.]com, which offered a pay-per-install service. Screenshots obtained from stealer infections revealed Skype group chats labeled “InstallPP” and “network ad,” where members shared links to cracking websites.
As Intrinsec explains, “once a client downloads a ‘product’… the member of InstallPP gets a commission based on the operating system and country of the victim.” Though such services could be used for benign software, their connection to malware-laced downloads is clear.
The investigation underscores a significant enforcement challenge: “there is no extradition treaty between the US and Pakistan,” which means legal action against these cyber actors is nearly impossible. While domains can be seized temporarily, the infrastructure is rebuilt quickly, creating a persistent threat.
Adding complexity, Pakistan’s growing ties with China and Russia—nations often at odds with Western cybersecurity norms—create further shielding. The report warns: “Traffic coming from Pakistan should be treated carefully,” especially as intelligence cooperation between Islamabad and Beijing deepens.
Intrinsec’s findings reveal not just a network of websites, but a systematic exploitation of freelance talent, lax enforcement, and geopolitical loopholes. While takedowns can disrupt operations temporarily, the report concludes that “this is only a temporary measure until new ones are rebuilt.”
As cracking websites continue to serve as gateways for stealers like Lumma and Rhadamanthys, organizations are urged to implement strong defenses, including employee training, IOC blocking, and multi-factor authentication.
Donate