The network known as Payroll Pirates has been active for several years, operating as a fully organized structure that promotes phishing pages through advertising platforms and spans a wide range of industries. Its scale has grown to encompass hundreds of tailored interfaces and hundreds of thousands of redirected visits, with its entire architecture distributed across multiple clusters and operators following a unified playbook. The system is engineered so that the deception appears entirely credible and the theft of data occurs almost imperceptibly.
The first wave emerged in the spring of 2023, when Check Point researchers noticed phishing sites masquerading as popular HR portals. These malicious pages were advertised through Google Ads and targeted individuals logging into payroll management accounts. Once credentials were entered, the attackers diverted salary payments to their own accounts. The infrastructure consisted of distinct domain groups, dedicated Telegram channels, and similar script bundles—indicating either a shared tooling source or a model in which different operators relied on the same technical framework. By November 2023, activity had diminished, though the campaign itself had not ended.
Several months later, the network resurfaced with an updated suite of pages engineered to bypass two-factor authentication. Operators deployed Telegram bots to interact with victims in real time, requesting one-time codes and supplemental verification responses. The server-side architecture was redesigned: instead of direct data-transfer points, the attackers used unobtrusive scripts such as xxx.php and check.php, complicating detection and takedown. This shift rendered the infrastructure more covert and more resilient to disruption.
Soon, evidence emerged that the attackers had broadened their scope. In August 2024, Malwarebytes identified similar attack patterns targeting a major retail chain, and in December, SilentPush reported analogous techniques being used against credit unions and e-commerce platforms. By autumn 2025, a surge in related queries prompted renewed analysis. Due to an operator’s mistake, Check Point researchers gained partial access to the internal structure and uncovered a single, centralized Telegram bot through which data from all target categories flowed—from financial services to healthcare portals. This confirmed that the operation was not a collection of loosely related toolkits but a fully centralized network.
Activity logs revealed at least four administrators. One posted videos from the coastline near Odesa and participated in several regional groups associated with Dnipro, suggesting that part of the operation was based in Ukraine.
The operation is built on two primary clusters. The first relies on Google Ads and sophisticated cloaking systems. To pass moderation, benign placeholder pages are created; once activated, they redirect users to phishing clones. Such domains are often registered in bulk, with hosting frequently located in Kazakhstan and Vietnam.
The second cluster uses Microsoft Ads and depends on pre-aged domains cultivated over several months. Dozens of pages with randomized URLs are deployed on these sites, and adspect.ai determines which version to display based on browser characteristics.
Despite differences in advertising channels, both clusters employ identical script kits. Pages adapt dynamically to operator cues, easing the bypass of authentication challenges. File names recur across versions—xxx.php, analytics.php, check.php. Newer variants use obfuscated JavaScript to conceal data exfiltration. Advertising accounts undergo verification and are sometimes supplemented with legitimate campaigns. Operators route their traffic through U.S. IP addresses and routers with open PPTP support, likely acquired as part of ready-made proxy lists. One administrator even sought advice in a technical proxy-services chat, indirectly confirming the nature of the underlying infrastructure.
Despite its stealth, the campaign continues to leave traces. Effective defense requires monitoring advertising networks, scrutinizing suspicious promotions, employing robust authentication measures, deploying traps to detect unauthorized activity, and blocking fraudulent pages as they arise. Payroll Pirates was designed as a platform capable of adapting and evolving—but vigilant, well-tuned monitoring deprives it of its most valuable asset: invisibility.
