Malware-as-a-Service Pioneers “The Manipulaters” Return From 10 Years Underground

Why Trust Techopedia

Stealthy, unsophisticated, enigmatic, enduring, and underestimated, the Pakistan-based cybercriminal group “The Manipulaters” is back in the spotlight — although they never really went anywhere.

The Manipulaters is believed to be the first criminal group to offer malware-as-a-service, with at least a decade of experience.

Linked to Pakistan, the Manipulaters jumped into the cybercriminal scene in 2015 with unique tactics. Now a new investigation shows that, years later, the group continues to use the same tactics with success.

Unlike other underground criminal operators, The Manipulaters do not care about reputation and thrive on their anonymity. They have enabled countless attacks against organizations, individuals, professionals, and security teams of Fortune 100 companies.

Key Takeaways

  • The Manipulaters are pioneers of Malware-as-a-Service (MaaS).
  • Active for over a decade, they offer various cybercrime tools like phishing kits and now cookie stealers.
  • Despite using unsophisticated tactics, they thrive due to their large online presence and focus on anonymity.
  • Their resurgence highlights the ongoing threat of cybercrime marketplaces and the need for vigilance.

The Manipulaters In the Spotlight Again: Exactly Where They Want to Be?

A recent DomainTools report found that the supposedly outdated and dormant cybercrime group is alive and doing damage. DomainTools says that the group that gained infamy in 2015 continued to cultivate legions of scam and spam artists for nearly a decade.

Contrary to proclamations of their dissolution, and with members of the group even going as far as contacting journalists directly about turning a new leaf, the Manipulaters have resurfaced with an upgraded new set of destructive methods.


Sean McNee, VP of Research and Data at DomainTools, told Techopedia that they were surprised to see Manipulater groups operating strongly in the wild.

“We were stunned to uncover a whole new chapter in The Manipulaters’ criminal history. This is an ideal example of how analyzing historical domain and host records provides important context for cybercrime investigations.”

The group appears to have expanded its malware, pivoting from spam and phishing to offer email-to-SMS spamming tools and cookie theft. This dangerous combination can take over an account, but these new tools fly better under the radar than traditional phishing malware.

Following their tradition of flooding the online underworld market with websites offering their malware, the Manipulaters now have at least 40 active shops and websites. Historically, the group has created hundreds of sites.

The Manipulaters In the Spotlight Again: Exactly Where They Want to Be?
A site created by the Manipulaters displays fake testimonial messages. The Manipulaters often appear to use amateurs-skills, which seem to be nothing but a cover. Image: Screenshot.

The Manipulaters: Big Box Retailers of Crime

McNee added:

“The Manipulaters represent an ambitious and somewhat pioneering–cybercrime enterprise. At their peak, they operated shops across multiple domains selling phishing kits and other cybercrime services for nearly a decade.”

“They also enabled a dizzying amount of cybercrime during that time, both in terms of volume and scope.

“By analogy, one could think of them as one of the earliest ‘big box retailers’ for cybercrime tooling, implementing their delivery by running scores of shops with such large inventories that their operational model must have been rather complex.

“The considerable scale of their operation is nothing compared to their position as one of the ‘innovators’ in the cybercrime space”.

SpamFather, an active online site where the Manipulaters sell spam/phishing tech combined with cookie stealers — a dangerous combination.
SpamFather, an active online site where the Manipulaters sell spam/phishing tech combined with cookie stealers — a dangerous combination. Image: Screenshot.
HeartSender, another site linked to the Manipulaters, sells spam, phishing, and email-to-SMS kits and malware that automate processes
HeartSender, another site linked to the Manipulaters, sells spam, phishing, and email-to-SMS kits and malware that automate processes. Image: Screenshot.

McNee explained that, for example, one of their now-defunct online shops, “Fresh Spam Tools,” was one of the earliest large phishing-focused cybercrime marketplaces to appear.

“A lot of the most notorious cybercrime marketplaces on the internet today are a result of this fundamental shift – there’s good money to be made enabling others to perform cybercrime.”

Shawn Waldman, CEO and Founder of Secure Cyber Defense — a custom technology and managed detection and response solution provider — told Techopedia that the Manipulaters are known for large-scale operations.

“The Manipulaters have a historical reputation as one of the largest international crime units, responsible for supplying hackers and hacktivists with the necessary tools and infrastructure for their operations.”

“Think of them as cyber arms dealers in the digital crime underground,” Waldman said.

“Historically, the Manipulaters have demonstrated expertise with Office365 fake login pages as well as entering the SMS space with fake UPS and USPS text messaging. Given the massive success this group has had in the past, their resurgence poses a significant threat.”

Techopedia’s investigation into the Manipulaters’ shops and sites, their history, and new technology found that the group is very active.

Given the volume of their online presence and confusing open tactics, only one thing can be inferred: this is no small-scale operation but one rich in skills and resources and capable of evading detection despite operating in the clear.

The Manipulaters’ MO, Strengths, and Weaknesses

Unlike ransomware operators or ransomware-as-a-service providers who seek to constantly develop a reputation that precedes them in order to strike fear in their opponents and gain power in the dark web, The Manipulaters choose another road.

The Manipulaters want to remain in the shadows and, as mentioned, have even contacted journalists working in the cybersecurity industry, pleading to them to remove articles that contain evidence of the group and a presumed alias of one of its leaders.

While this long-lived group’s tech and tactics are not sophisticated, they are known for being the first or one of the first criminal groups to sell malware online. McNee spoke about the issue.

“By pioneering this new business model, the Manipulaters lowered technical barriers to entry and enabled a lot of cybercrime, including inspiring other unrelated cybercrime shops to open.”

“What this group may have lacked in technical talent, they more than make up for in opportunism and business savvy, which lead to their financial success.”

The Manipulaters’ MO, Strengths, and Weaknesses
The Manipuleters often hide behind facades and claim they run legitimate businesses. Another site linked to the Manipulaters. Image: Screenshot.

McNee from DomainTools said the Manipulaters have accounts on many cybercrime forums.

“We believe they have a significant customer base across the planet, with a notable subset of customers operating out of West Africa that absolutely love their tooling and phish-kits.”

The Manipulaters Today

To understand what the Manipulaters are doing today, it’s essential to have an understanding of the role and impact that cybercriminal marketplaces have in the modern global threat landscape.

From malware-as-a-service to ransomware-as-a-service, and stealers-as-a-service, offered by the leading cybercriminal syndicates in the dark web, these groups are not only profiting from attacks.

DomainTools explains that cybercriminal marketplaces are a foundational core of the underground multi-billion dollar economy. Not only do malware providers enable attacks, but drive innovation and enhance techniques and methods to attract new customers.

While this underground economy has changed a lot since 2015 and the golden days of the Manipulaters, the group changed with the times and adapted.

In 2021, Krebs on Security reported that the Manipulaters were prospering again. This time, the group hid behind the facade of a software development firm in the city of Lahore, Pakistan. Krebs said the group ‘secretly enabled an entire generation of spammers and scammers’.

Today, the group continues to sell its tech, helping criminals automate scam pages, phishing campaigns, and email-to-SMS attacks. They also sell cookie grabbers and malicious bundled software for common file exploit attacks.

DomainTools’ 2023-2024 investigation saw an unbroken decade of selling.

“The Manipulaters have profited for more than a decade by selling vast quantities of phishing kits, commodity malware, and spamming services, and more – eventually expanding into selling web domains, both for their own use as well as resale to other criminals.”

DomainTools said the Manipualators saturate the underground economy with seemingly disparate products and services, making new entrants less likely to compete.

This tactic helps them reduce downtime when one domain is shut down or exposed. Additionally, it strengthens the false perception that the Manipulaters is a small and outdated threat group, helping them avoid law enforcement scrutiny.

Hidden behind a lack of information, the Manipulaters have managed to remain active and continue to profit from illegal activities, mastering deception and confusion-communication tactics.

Are The Motivators In It For Money? Or Does Geopolitics Make Them Click?

While experts say there is currently no evidence exposing the Manipulaters as a nation-support group, they agree that the group’s infrastructure and current geopolitical tensions require everyone to remain vigilant.

McNee from DomainTools said their investigation provides no reason to believe that the Manipulaters seek to influence geopolitics but rather align to profit-driven motives.

“Since this group is Pakistani-based, we cannot discount local or regional concerns in their motivations, but we have not seen any behaviors from this group indicating more than having financial growth and self-interest motivations.”

Waldman from Secure Cyber Defense agrees with McNee.

“Money is the usual motivation with these groups. However, given the current geopolitical situation, it’s interesting timing to enter the cybercrime arena. Numerous nations and groups are closely observing to gauge the direction the US will take and which side it will support. Until we gain more political intelligence on Pakistan, I would have to lean on the side of money for the moment.

“This geopolitical situation requires closer monitoring to assess how these countries are aligning themselves,” Waldman said.

“While I don’t discern a direct connection between Pakistan and China, it’s notable that China often leans towards disruptive actions, potentially seeking to sow chaos and division.”

Related Site #1: HeartSender — Automated Phishing Kits and Email-to-SMS Attack Tech

One of the sites Techopedia investigated for this report linked to the Manipulaters is HeartSender. Like other sites of the group, it promotes and sells malware openly. Strangely enough, this site, as well as others, is not in the dark web but on the open web or surface web and is not safe to visit.

DomainTools visited it instead:

“The Heart Sender storefront focuses on email and email-to-SMS spamming services. Customer response in cybercrime communities to HeartSender has been largely positive and represents a meaningful technical advancement for the Manipulaters, especially its improved email-to-SMS spamming capabilities.”

Related Site #1: HeartSender — Automated Phishing Kits and Email-to-SMS Attack Tech
HeartSender tech malware dashboard. Automates spamming, phishing campaigns, and email-to-SMS attacks. Image: Screenshot.

The group also created numerous pair shop domains with tutorials and promotions, contact information, and Telegram channels to communicate with their customers. The Manipulaters sites often lead to a Pakistan IP Address.

Related Site #2: SpamFather: A Dangerous Combination of Spammers and Cookie Stealers

Another dangerous site Techopedia identified, based on the DomainTools report, is SpamFather. On this site, the group combines spamming technology with cookie stealers.

These technologies represent a high-level threat as they can easily trick users into unknowingly giving away their credentials.

Related Site #2: SpamFather: A Dangerous Combination of Spammers and Cookie Stealers
While investigating the Manipulaters sites, Techopedia came across what seems to be a phishing attack embedded into a website redirect. Using this technique, the group can redirect users to fake sites like Gmail (or other accounts), expecting to steal users’ credentials. Image: Screenshot.

DomainTools described the technology sold on SpamFather as deadly.

“This dangerous combination can make account takeover activity much less detectable than traditional credential phishing.”

“The Manipulaters provided a large volume and variety of tooling. However, none of it would be considered extremely technically sophisticated,” McNee from DomainTools said.

Related Site #2: SpamFather: A Dangerous Combination of Spammers and Cookie Stealers
SpamFather — site linked to the Manipulaters — sells spam/phishing-cookie stealer tech for $1,000.  Image: Screenshot.

“They started with spam delivery tooling and phishing kit creation,” McNee said. “These were technologies they both sold and made use of themselves.

“Once sold, their kits and tools have been used by both more technically talented threat actors and new players in the space.


“Can’t deploy a basic sender for your spam campaign? Well, they’ll set it all up for a customer using a remote session. Can’t build a basic phishing kit with an email processor in PHP? They’ll sell the kit, domain, host, etc.”

The Bottom Line

The Manipulaters, and its vast network, are not only a group that cybersecurity specialists should be looking into and watching closely. The group is a unique case of a malicious organization that has somehow managed to survive, stay relevant, and continue to profit and expand under the noses of experts and law enforcement for a decade.

Pretending not to be a threat to national security, is the group the Manipulaters launching its own attacks? Who does business with the Manipulaters, and how big is the network of cybercriminals that use their malware and services? These questions are just some of the many that have not been answered in the past decade.

As ever, stay vigilant out there.


Related Reading

Related Terms

Ray Fernandez
Senior Technology Journalist
Ray Fernandez
Senior Technology Journalist

Ray is an independent journalist with 15 years of experience, focusing on the intersection of technology with various aspects of life and society. He joined Techopedia in 2023 after publishing in numerous media, including Microsoft, TechRepublic, Moonlock, Hackermoon, VentureBeat, Entrepreneur, and ServerWatch. He holds a degree in Journalism from Oxford Distance Learning and two specializations from FUNIBER in Environmental Science and Oceanography. When Ray is not working, you can find him making music, playing sports, and traveling with his wife and three kids.