Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

New PPI Campaign

September 01, 2010 - 1 min read

PPI being pay-per-install ...

This morning I saw some interesting transactions to:

where ### are numbers, for example, "519".

MD5: 1568edcd29629f577207d7396646b741

VirusTotal results 8/43 (report), detected as (among other names):

Turns out this is being spread through spammers, SEOers, etc. being financed in a PPI model, something that I have discussed before in the past. This time I have a screenshot to share related directly to the finance aspect of this particular PPI:

This post was created today. We can see from the PPI ad that those engaging in this particular campaign stand to make between $500 and $800 per 1000 installs (< $1 per install). The numbers in the executable, like "519" correspond to the account for the spammer/SEOer that is monetizing this. Domain: promoupdate.info Whois billing contact shows likely Russian affiliation: ImageHere is the actual Affiliate Network setup by this guy:

ImageDomain: twittre.net (private/masked Whois)
(note the RU nameservers)
ImageSource of the twittre.net page actual reveals that the Affiliate website is loaded from rich-partners.com:
ImageDomain: rich-partners.com
ImageNo surprise that the contact details are bogus, but the email address is legit, here's a past domain registered with these email credentials:
ImageRobtex shows these other domains (all likely other PPI sites) on (Sagade Ltd. <- not a surprise for some) in Latvia, hosting promoupdate.info: Image

form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.