Key findings
- Information on WhoIs records of cracking websites used to deliver stealer, which have impacted some of our clients. Inside the records, various email addresses link to real identity of Pakistani freelancers specialised in web development and advertising. Reminiscent of how the Cryptbot malware operated, these individuals follow a pay-per-install model for financial gains.
- Nameservers of the domain filescrack[.]com, registered by the same Pakistani individuals, were used since 2021 for more than 300 cracking websites. Additionally, the hosting provider 24xservice, may be used by this network of freelancers to register domains of cracking websites. In fact, the range 216.143[.]0/24 hosted by AS57717 (24xhosting) is almost full of cracking websites.
- Strategic and geopolitical information on Pakistan’s cyber ecosystem, which reveals closer ties with China in recent years, especially in terms of intelligence sharing and emergency response cooperation. Additionally, little can be done to prosecute Pakistani individuals behind these malicious activities as there is no extradition treaty between the US and Pakistan. Servers and domains can be seized but it is only a temporary measure until new ones are rebuilt, just like we observed with Cryptbot.
Introduction
Many of our client’s employees fall prey to stealer compromises. Their credentials are then leaked or sold on dedicated marketplaces, cybercrime forums and communication channels such as Telegram. Leaked credentials can then be used as initial access to deliver other payloads into corporate networks, such as RATs for espionage purposes or ransomware for data leak. In most cases, these employees were compromised after downloading and executing cracked software. As already explored in previous analysis (see Following the Sources of Infections Leading to the Deployment of CryptBot[1]), websites offering cracked software are a commonly known vector of propagation of stealer malware. In this analysis however, we will explore the ecosystem linked to these websites, giving insight into how they are built and by whom. This information sheds light on another aspect of the stealer kill-chain, that starts before the deployment of the malicious payloads and further expands on the segmentation of cybercrime activities. We voluntarily did not analyse the technical kill-chain after a victim downloads a malicious cracking software, as we already previously covered it in various analysis (Cryptbot, Lumma, …)
We discovered a network of Pakistani freelancers that build websites related to cracking, potentially for third-party clients, and can also use SEO and Google Ads to promote and reference these websites. As exposed by Google and in our Cryptbot analysis[2], Pakistani cybercriminals can be directly involved in cracking website to deliver stealer malware. We could suspect that, mostly in the beginning of their activity, Pakistani freelancers may not be cautious or regardant on the types of projects offered to them. As such, they could accept such opportunities to build their reputation and earn money. Once enough time has passed and they’ve built their portfolio, they could start institutionalising themselves, just like one freelancer we discovered, who created his own website-building company and is not directly linked to cracking websites since 2021.
[1] https://www.intrinsec.com/cryptbot-hunting-for-initial-access-vector/
[2] https://www.intrinsec.com/wp-content/uploads/2024/12/TLP-CLEAR-CryptBot-Hunting-for-intial-access-vectors.pdf
Intrinsec’s CTI services
Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.
For this report, shared with our clients in January 2025, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.
Intrinsec also offers various services around Cyber Threat Intelligence:
- Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
-
- an operational feed of IOCs based on our exclusive activities.
- threat intel notes & reports, TIP-compliant.
-
- Digital risk monitoring:
-
- data leak detection & remediation
- external asset security monitoring (EASM)
- brand protection
-
For more information, go to www.intrinsec.com/en/cyber-threat-intelligence/.