Cyber threats don’t always come with warning signs. Sometimes, they arrive as sponsored ads. Since mid-2023, a financially motivated network has been quietly hijacking payroll systems, credit unions, and trading platforms across the U.S. Their method? Malvertising. Their goal? Money. Their Name? Payroll Pirates.

This isn’t a one-off campaign. It’s a coordinated operation that’s evolved over time – technically, tactically, and geographically.

It has targeted over 200 interfaces and has lured in more than 500,000 users.

It Started with Google Ads

Back in May 2023, Check Point External Risk Management researchers began tracking phishing sites that impersonated payroll platforms. These sites were promoted through Google Ads, targeting employees logging into HR portals. Once credentials were stolen, attackers rerouted salaries to their own accounts.

The infrastructure was split into clusters. Each had its own domains, Telegram channels, and exfiltration methods. But the kits were nearly identical. That suggested a shared origin, or a marketplace model where multiple operators used the same tools.

By November 2023, the campaign went quiet. But it wasn’t over.

A Smarter Comeback

In June 2024, the network returned with upgraded kits. The phishing pages now included dynamic elements that could bypass two-factor authentication (2FA). Operators used Telegram bots to interact with victims in real time, requesting one-time codes and security answers.

The backend was redesigned. Instead of exposing exfiltration endpoints, the kits used scripts like xxx.php and check.php to communicate silently with operators. This made the infrastructure harder to detect, and nearly impossible to disrupt.

Not Just Payroll

By August 2024, Malwarebytes reported similar tactics used against a major retailer. In December, SilentPush published a deep dive into the same network, confirming its expansion into credit unions and trading platforms.

Significant activity spikes in tracked keywords activity were observed in September 2025. Because of this, the investigation into the phishing campaign was reopened. Due to an OPSEC failure, Check Point’s External Risk Management Research team were able to obtain certain visibility into the network. The team found a single telegram bot was orchestrating 2fa feedback across all different target types – credit unions, payroll, health care benefits, trading platforms, and more. This showed that all reports were referring to the same network, and not a shared phishing kit.

This wasn’t just a shared kit. It was a unified network.

Logs showed at least four admins, each managing different target channels. One operator posted a video from the Black Sea coast near Odesa, suggesting a physical location. The same operator was also a member of multiple groups focused in Dnipro, another Ukrainian city, suggesting at least some of the operators were based in Ukraine at the time.

Two Clusters, One Goal

The network operates in two main clusters:

Cluster 1: Google Ads + Redirect Cloaking

This method uses “white pages” to pass ad reviews. These pages look harmless but redirect victims to phishing sites when activated. Hosting is often done via providers in Kazakhstan and Vietnam, with domains registered in bulk.

Cluster 2: Bing Ads + Aged Domains

This cluster targets financial institutions using Microsoft Ads. Domains are aged for months and host dozens of phishing pages with randomized URLs. A cloaking service from adspect.ai determines which page to show based on browser fingerprinting.

Both clusters use the same phishing kits. Pages adapt dynamically based on operator feedback, making it easy to bypass most authentication methods.

Infrastructure Insights

The kits follow consistent naming patterns: xxx.php, analytics.php, check.php. Some newer versions use obfuscated JavaScript (script.js) to hide their exfiltration logic.

Ad accounts are verified and often run legitimate-looking campaigns. Operators use U.S. residential IPs and routers with PPTP open, possibly part of a purchased proxy list. One admin was spotted asking for help on a proxy support channel.

What You Can Do

This campaign is still active. Here’s how to stay ahead:

  • Monitor ad networks for suspicious campaigns targeting employee portals and financial services.
  • Use phishing-resistant authentication for sensitive actions—like confirmation emails with context.
  • Report fraudulent ads and hosting abuse to relevant providers.
  • Deploy honeypot accounts to gather threat intelligence and flag suspicious behavior.

The Payroll Pirates network isn’t just persistent, it’s adaptive. It’s built to scale, built to hide, and built to win. But it’s not invisible. With the right tools, the right insights, and the right vigilance, we can disrupt their operations before they reach the payroll.

About Check Point External Risk Management

Check Point’s External Risk Management solution is built to uncover threats like Payroll Pirates before they cause damage. By continuously monitoring ad networks, credential abuse, and infrastructure changes across the open, deep and dark web, the team can detect phishing campaigns in their earliest stages. The platform’s ability to correlate indicators across multiple clusters—ads, domains, Telegram activity, and more—helps link disparate attacks to a single network. That’s how we move fast, disrupt infrastructure, and protect organizations from credential theft and payroll fraud.

See the full report here for technical details, indicators of compromise, and recommendations.

 

You may also like