Pakistani freelancers building cracking websites for stealer-delivery

Many of our client’s employees fall prey to stealer compromises. Their credentials are then leaked or sold on dedicated marketplaces, cybercrime forums and communication channels such as Telegram. Leaked credentials can then be used as initial access to deliver other payloads into corporate networks, such as RATs for espionage purposes or ransomware for data leak. In most cases, these employees were compromised after downloading and executing cracked software. As already explored in previous analysis (see Following the Sources of Infections Leading to the Deployment of CryptBot[1]), websites offering cracked software are a commonly known vector of propagation of stealer malware. In this analysis however, we will explore the ecosystem linked to these websites, giving insight into how they are built and by whom. This information sheds light on another aspect of the stealer kill-chain, that starts before the deployment of the malicious payloads and further expands on the segmentation of cybercrime activities. We voluntarily did not analyse the technical kill-chain after a victim downloads a malicious cracking software, as we already previously covered it in various analysis (Cryptbot, Lumma, …)

We discovered a network of Pakistani freelancers that build websites related to cracking, potentially for third-party clients, and can also use SEO and Google Ads to promote and reference these websites. As exposed by Google and in our Cryptbot analysis[2], Pakistani cybercriminals can be directly involved in cracking website to deliver stealer malware. We could suspect that, mostly in the beginning of their activity, Pakistani freelancers may not be cautious or regardant on the types of projects offered to them. As such, they could accept such opportunities to build their reputation and earn money. Once enough time has passed and they’ve built their portfolio, they could start institutionalising themselves, just like one freelancer we discovered, who created his own website-building company and is not directly linked to cracking websites since 2021.

[1] https://www.intrinsec.com/cryptbot-hunting-for-initial-access-vector/

[2] https://www.intrinsec.com/wp-content/uploads/2024/12/TLP-CLEAR-CryptBot-Hunting-for-intial-access-vectors.pdf

Organisations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.

For this report, shared with our clients in January 2025, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR …), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.

Intrinsec also offers various services around Cyber Threat Intelligence:

• Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients’ existing tools (EDR, XDR, SIEM, …) through:
  • • an operational feed of IOCs based on our exclusive activities.
    • threat intel notes & reports, TIP-compliant.
• Digital risk monitoring:
  • • data leak detection & remediation
    • external asset security monitoring (EASM)
    • brand protection

For more information, go to www.intrinsec.com/en/cyber-threat-intelligence/.

Follow us on Linkedin and X