Payroll Pirates: The Widespread Malvertising Network

Since at least May 2023, a financially motivated cyber-crime network has been operating a phishing campaign primarily abusing Google Ads, and occasionally Microsoft Ads to drive traffic to credential-harvesting websites. This campaign – part of which was named “Payroll Pirates” by SilentPush – has remained active, with periodic updates to tactics and target rotations.

Primary targets appear to have been employee portals, enabling attackers to hijack payroll distribution and redirect salaries. A newly observed operator within this network has been exclusively targeting credit unions and trading platforms via Microsoft Ads.

Comments in older pages, as well as communications in internal telegram channels point towards a Russian-speaking group.

The kits that use this network are “live panel” kits, allowing operators to request additional information from the user as needed. This approach also ensures resilience against the introduction of two-factor authentication (2FA), security questions, or step-up authentication later in the process.

The “Payroll Pirates” Network

History and attribution

• First detection – Separate groups with shared origins:
  Initial observations reveal malicious Google Ads redirecting users to phishing sites impersonating payroll SaaS platforms, with activity dating back to at least May 2023.
  Check Point identified at least four distinct clusters, each characterized by unique domain registration patterns, infrastructure setups, and Telegram keys and channels. Despite these differences, the targeted portals showed significant overlap across the groups.
  The groups employed identical targeting strategies, using ads and payroll-related keywords, with notable similarities across the phishing kits. This may suggest that different operators were using the same kit, or that the groups had splintered from a common origin.
  Some groups included a “referral” parameter in the exfiltration endpoint, indicating a potentially more complex affiliate model.
  All kits exhibited traits pointing to Russian-speaking actors, such as code comments, Telegram usernames, and intra-group communications.
  Activity from these groups targeting our tracked brands ceased in late 2023.
• Re-emergence with upgraded 2FA bypass kit: In June 2024, ad activity for our monitored targets resumed, but this time kits seemed more consolidated – the Check Point External Risk Management team observed 2 different activity clusters – both with the exact same updated kit.
  Direct Telegram exfiltration was no longer present directly on the page source, a new backend php script php was added with an interactive mechanism to receive feedback from the operator – this enabled the attackers to bypass 2FA by requesting one-time codes from users as part of the login process.
  The attackers were very agile in changing methods in the kit every time the shared infrastructure was disrupted, until a “final” iteration was created, which hid all traffic from shared backend servers. This left no visible central point to disrupt the campaign. The same methodology is still being used in kits today.
  The quick response hints at a motivated group with their own development resources,  rather than the opportunistic usage of a phishing kit.

• Public reports:
  • August 2024: Malwarebytes published a report on a group with the same distribution tactics targeting a large retailer’s indicating the group doesn’t only target centralized SaaS platforms, but will even target smaller, localized targets, and will move between targets as necessary over time – possibly explaining the “hiatus” between November 2023 and June 2024.
  • December 2024: SilentPush published a report on “Payroll Pirates”. Exposing more victim types – such as credit unions, linked by technical structure. Hunting Payroll Pirates: Silent Push Tracks HR Redirect Phishing Scam

New observations

Significant activity spikes in tracked keywords activity were observed in September 2025. Because of this, the investigation into the phishing campaign was reopened. Due to an OPSEC failure, Check Point’s External Risk Management Research team were able to obtain certain visibility into the network. The team found a single telegram bot was orchestrating 2fa feedback across all different target types – Credit Unions, Payroll, Health care benefits, Trading platforms, etc. This showed that all reports were referring to the same network, and not a shared phishing kit.

Although all different target types have been utilizing the same network, based upon the telegram bot’s logs there have been at least 4 different admins observed. These admins have been adding the telegram bot to each new target channel, suggesting different teams with unique areas of responsibility.

One of the operators uploaded a story to their telegram on Sep 25th, 2025. Check Point External Risk Management’s analysis suggests the video was taken along the coast of the Black Sea, near Odesa, Ukraine. The same operator was also a member of multiple groups focused in Dnipro, another Ukrainian city, suggesting at least some of the operators are were based in the Ukraine at the time.

Technical Analysis

2 different targeting methodologies were identified, that use the same kits and control infrastructure.

Cluster 1 – Google Ads with redirect cloaking

This is the original targeting methodology as depicted in the overview chapter, however, the mechanism of which the victim is led to the end website has evolved, likely for the purpose of bypassing Google Ads reviews.

For this cluster of domains, the domains are typically registered in bulk via WebNIC, MAT BAO or Dominet and use Hostinger, AS210006 (Kazakhstan), AS210909 for hosting, and are sometimes hidden behind Cloudflare CDN.

Cluster 2 – Bing ads with random generated URLs and cloaking service

This cluster uses the Microsoft ad network exclusively, possibly due to the harsher review process for google ads targeting financial keywords. Almost all sites targeted in this cluster are credit unions or financial institutions.

Sites on this cluster have the following properties:

• Domains do not have a discernible naming pattern besides the registration info.
• Almost all domains are “aged” for several months.
• Typically, each domain hosts dozens of phishing pages for different credit unions, using autogenerated urls for each domain in this style:
  • hxxps[:]//qhost24[.]com/ajililisety24/alilojise.html?msclkid=7bdbd37906291476c3acbbba5789fae2
  • hxxps[:]//qhost24[.]com/ajililisety23/alilojise.html?msclkid=7bdbd37906291476c3acbbba5789fae2
  • hxxps[:]//westcoastscenery[.]com/aliliniseji4/?msclkid=ea5aa7098f4d138a7191cfcd2aceaa6a
• Cloaking – Uses a different cloaking and reputation checker than cluster 1. During our observation we noticed a switch in providers from an unknown cloaking implementation to a new
• Ads are only active for several hours per day. By the time a new ad campaign is activated, the domain is rotated. Based upon the logs observed in the telegram bot, it is apparent that these ads are very effective in driving a lot of traffic in a short period of time.

Shared Kit and Infrastructure

• Most sites follow the same naming patterns:
  • Either or php for initial data exfiltration
  • php or updates.php for polling feedback from operator’s telegram channel.
• Most display 2fa / security questions pages dynamically based on operator’s feedback, using the “live panel” approach – enabling bypass of most verification methods (except for passkeys).

Future evolutions

• During the investigation, Check Point External Risk Management (formerly Cyberint) observed 2 targets with slightly different communication methods.
• Instead of the php API visible in the root HTML page source, these kits employ an obfuscated script.js file. De-obfuscating the file exposes calls to an api.php file, with similar interactions around feedback from the server, with a notable difference – a lack of the polling check.php endpoint.

• The phishing pages with the different kit were hosted on a shared server following the naming convention of cluster 2 – along with other phishing pages with the known php kit – linking the operator of the cluster to this kit.

Other technical observations

• Ad accounts
  • The accounts used for Google Ads are all verified, and in most cases are used for some other legitimate looking ads as well – possibly resold / stolen accounts.
• Residential IP addresses
  • We intercepted some test messages generated by the operators themselves – all had US residential IPs attached at different ISPs, with different consumer router models. All routers had PPTP (Point-to-Point Tunneling Protocol) open (these could be a purchased access list of routers) or a commercial residential proxy with PPTP being a coincidence. One of the network’s admins was observed on the support channel or “PROXY SOXY” messaging for help with a non-working proxy.

Recommendations

1. Monitor for malicious Google/Microsoft Ads targeting keywords for employee/benefits portals and financial institutions.
2. Implement context-aware phishing-resistant step-up authentication for sensitive actions. (e.g. Confirmation email with description of the action being approved)
3. Report abuses for active phishing sites to relevant hosting providers.
4. Report fraudulent ad campaigns.
5. Use honey users (fake user accounts created to detect and attract unauthorized access to a system) to gather information, such as IOCs and behavior data to correlate with other accounts to flag suspicious activity.

About Check Point External Risk Management (formerly Cyberint)

Check Point’s External Risk Management solution is built to uncover threats like Payroll Pirates before they cause damage. By continuously monitoring ad networks, credential abuse, and infrastructure changes across the open, deep and dark web, the team can detect phishing campaigns in their earliest stages. The platform’s ability to correlate indicators across multiple clusters—ads, domains, Telegram activity, and more—helps link disparate attacks to a single network. That’s how we move fast, disrupt infrastructure, and protect organizations from credential theft and payroll fraud.