BURSTA sophisticated cybercriminal network operating from Pakistan has constructed over 300 cracking websites since 2021, serving as distribution platforms for information-stealing malware that targets users seeking pirated software.
This extensive operation represents one of the largest documented cases of coordinated malware distribution through seemingly legitimate software cracking portals, affecting corporate and individual users globally who fall victim to credential theft.
The malicious infrastructure leverages the universal appeal of free software to deliver stealer malware, exploiting users’ desire to access premium applications without payment.
Victims typically encounter these websites when searching for cracked versions of popular software, inadvertently downloading malicious executables disguised as legitimate activation tools or software installers.
Once executed, these payloads harvest browser credentials, cryptocurrency wallets, and sensitive authentication data before transmitting the stolen information to command-and-control servers.
The campaign’s sophisticated approach extends beyond simple malware hosting, incorporating search engine optimization techniques and Google Ads to maximize visibility and victim engagement.
This multi-faceted strategy ensures consistent traffic flow to the malicious domains, creating a steady stream of potential victims who believe they are accessing genuine software cracking resources.
Intrinsec analysts identified the operation through forensic analysis of client compromise incidents, tracing infection sources back to domains such as kmspico.io and related infrastructure.
The investigation revealed a coordinated network of Pakistani freelancers specializing in web development and digital advertising, many of whom may have initially been unaware of their clients’ malicious intentions.
These developers utilized a pay-per-install business model reminiscent of the notorious Cryptbot operation, earning commissions based on successful malware installations across different geographic regions and operating systems.
DNS Infrastructure and Distribution Mechanisms
The technical foundation of this operation centers on a centralized DNS infrastructure using ns1.filescrack.com as the primary nameserver for the majority of malicious domains.
This nameserver has been associated with over 300 cracking websites as of September 2024, with domain registration patterns indicating systematic expansion since June 2021.
The nameserver configuration allows operators to maintain centralized control while distributing risk across numerous domain names.
The hosting infrastructure primarily utilizes 24xservice, a Pakistani provider operating autonomous system AS57717 from Lahore.
Analysis of the IP range 185.216.143.0/24 reveals near-exclusive use for cracking websites, suggesting either dedicated infrastructure or compromised hosting services.
.webp)
Domain registration records contain email addresses linking to real identities of Pakistani freelancers, indicating operational security failures that enabled attribution to specific individuals within the network.
The malware distribution mechanism operates through InstallPP, a pay-per-install service that monetizes successful infections based on victim geography and operating system.
This service integration demonstrates the professionalized nature of the operation, with clear financial incentives driving continued expansion and refinement of distribution techniques.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
The post Pakistani Actors Built 300+ Cracking Websites Used to Deliver Info-Stealer Malware appeared first on Cyber Security News.