Cyber threats don’t always come with warning signs. Sometimes, they arrive as sponsored ads. Since mid-2023, a financially motivated network has been quietly hijacking payroll systems, credit unions, and trading platforms across the United States. Their method? Malvertising. Their goal? Money. Their name? Payroll Pirates.
This isn’t a one-off campaign. It’s a coordinated operation that’s evolved over time technically, tactically, and geographically.
The network has targeted over 200 interfaces and lured in more than 500,000 users, representing one of the most persistent credential theft operations in recent years.
Back in May 2023, Check Point External Risk Management researchers noted phishing sites that impersonated payroll platforms.
These sites were promoted through Google Ads, targeting employees logging into HR portals. Once credentials were stolen, attackers rerouted salaries to their own accounts.
The infrastructure was split into clusters. Each had its own domains, Telegram channels, and exfiltration methods. But the kits were nearly identical, suggesting a shared origin or a marketplace model where multiple operators used the same tools.
A Smarter Comeback
In June 2024, the network returned with upgraded kits. The phishing pages now include dynamic elements capable of bypassing two-factor authentication (2FA).
Operators used Telegram bots to interact with victims in real time, requesting one-time codes and security answers.
The backend was redesigned. Instead of exposing exfiltration endpoints, the kits used scripts like xxx.php and check.php to communicate silently with operators. This made the infrastructure harder to detect and nearly impossible to disrupt.
By August 2024, Malwarebytes reported similar tactics used against a major retailer. In December, SilentPush published a deep dive into the same network, confirming its expansion into credit unions and trading platforms.
Significant activity spikes in tracked keywords were observed in September 2025, prompting Check Point’s External Risk Management Research team to reopen their investigation.
Due to an operational security failure by the attackers, researchers obtained visibility into the network. The team discovered a single Telegram bot orchestrating 2FA feedback across all different target types credit unions, payroll, healthcare benefits, trading platforms, and more. This revealed that all reports were referring to the same network, not just a shared phishing kit.
Logs showed at least four admins, each managing different target channels. One operator posted a video from the Black Sea coast near Odesa, suggesting a physical location.
The same operator was also a member of multiple groups focused in Dnipro, another Ukrainian city, suggesting at least some of the operators were based in Ukraine.
Two Clusters, One Goal
The network operates in two main clusters:
Cluster 1: Google Ads + Redirect Cloaking
This method uses “white pages” to pass ad reviews. These pages look harmless but redirect victims to phishing sites when activated. Hosting is often done via providers in Kazakhstan and Vietnam, with domains registered in bulk.
Cluster 2: Bing Ads + Aged Domains
This cluster targets financial institutions using Microsoft Ads. Domains are aged for months and host dozens of phishing pages with randomized URLs. A cloaking service from adspect.ai determines which page to show based on browser fingerprinting.
Both clusters use the same phishing kits. Pages adapt dynamically based on operator feedback, making it easy to bypass most authentication methods.
The kits follow consistent naming patterns: xxx.php, analytics.php, check.php. Some newer versions use obfuscated JavaScript (script.js) to hide their exfiltration logic.
Ad accounts are verified and often run legitimate-looking campaigns. Operators use U.S. residential IPs and routers with PPTP open, possibly part of a purchased proxy list.
What Organizations Can Do
This campaign remains active. Organizations should monitor ad networks for suspicious campaigns targeting employee portals and financial services, use phishing-resistant authentication for sensitive actions, report fraudulent ads and hosting abuse to relevant providers, and deploy honeypot accounts to gather threat intelligence.
The Payroll Pirates network isn’t just persistent it’s adaptive. It’s built to scale, built to hide, and built to win. But with the right tools, insights, and vigilance, organizations can disrupt their operations before they reach the payroll.
Check Point’s External Risk Management solution continuously monitors ad networks, credential abuse, and infrastructure changes across the open, deep, and dark web to detect phishing campaigns in their earliest stages, helping organizations protect against credential theft and payroll fraud.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.