CloudSEK Logo
August 14, 2025

The Anatomy of an Attack: Pakistan Based Infostealer Delivery Network Exposed

CloudSEK’s TRIAD uncovered a Pakistan-based infostealer distribution network run through PPI schemes InstallBank and SpaxMedia/Installstera. Using SEO-poisoned warez sites and forum spam, the group delivered Lumma, Meta, and AMOS stealers, amassing 449M+ clicks, 1.88M+ installs, and $4.67M in revenue. Leaked stealer logs exposed operators, infrastructure, and financial records, revealing a family-linked operation targeting global piracy seekers via thousands of domains over five years.

Authors & Contributors

Pavan Karthick M
Threat Intelligence Researcher at CloudSEK
Vikas Kundu
Nivya Ravi
Downloadable Report

Download the Report

Download the report by clicking below.
The Download will start immediately.
Download Now
Schedule a Demo

Join our newsletter

Sign up so that you don't miss any updates from us

The Anatomy of an Attack: Pakistan Based Infostealer Delivery Network Exposed

Download ReportSchedule a demo

CloudSEK’s TRIAD uncovered a Pakistan-based infostealer distribution network run through PPI schemes InstallBank and SpaxMedia/Installstera. Using SEO-poisoned warez sites and forum spam, the group delivered Lumma, Meta, and AMOS stealers, amassing 449M+ clicks, 1.88M+ installs, and $4.67M in revenue. Leaked stealer logs exposed operators, infrastructure, and financial records, revealing a family-linked operation targeting global piracy seekers via thousands of domains over five years.

This is some text inside of a div block.
Cybercrime Group

The Anatomy of an Attack: Pakistan Based Infostealer Delivery Network Exposed

August 14, 2025
This is some text inside of a div block.
min

CloudSEK’s TRIAD uncovered a Pakistan-based infostealer distribution network run through PPI schemes InstallBank and SpaxMedia/Installstera. Using SEO-poisoned warez sites and forum spam, the group delivered Lumma, Meta, and AMOS stealers, amassing 449M+ clicks, 1.88M+ installs, and $4.67M in revenue. Leaked stealer logs exposed operators, infrastructure, and financial records, revealing a family-linked operation targeting global piracy seekers via thousands of domains over five years.

This is some text inside of a div block.
This is some text inside of a div block.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.