Once the domain of elite hackers, malware is now sold, rented, and supported like any other software.
Over the past decade, malware has evolved from a specialized tool used by skilled hackers into a widely available, mass-market commodity that anyone can buy.
At the heart of this shift is the rise of malware-as-a-service (MaaS) and ransomware-as-a-service (RaaS) models—plug-and-play platforms that allow hackers to rent or buy pre-built malware from developers, much like software-as-a-service (SaaS) in the enterprise tech world.
The result is a threat landscape where even low-skilled actors, so-called “script kiddies,” can launch sophisticated campaigns.
According to the European Union Agency for Cybersecurity (ENISA), 70% of ransomware attacks originate from RaaS operations, reflecting the growing dominance of this model. This commodification has also blurred traditional distinctions between nation-state advanced persistent threats (APTs) and financially motivated criminal gangs.
Tools once associated with top-tier espionage are now widely available, whether through affiliate programs or resale in dark web markets. Europol has warned that the lines between targeted attacks and opportunistic crime are becoming increasingly complex to draw.
Criminal services now encompass a range of tools, including phishing kits, dropper builders, and encryptors, each designed to make attacks harder to detect and easier to deploy.
Cybercrime has become a thriving marketplace where anyone can purchase ready-made malware as easily as a Netflix subscription, if they know where to look.
Types of malware-as-a-service
Pay-per-install malware
Pay-per-install (PPI) malware is a type of distribution model in which cybercriminals pay third-party affiliates or botnet operators to install their malicious software on victims’ devices, allowing them to scale campaigns quickly without needing to handle distribution themselves.
Even low-skilled actors can launch widespread attacks by outsourcing this step. Historically, services like InstallsPro and TrafficConverter.biz led the space, and today, PPI is common in malvertising and trojan game mods.
The key danger lies in volume: One malicious file can infect thousands of devices. For defenders, PPI creates a constantly shifting attack surface that’s difficult to anticipate or contain.
Plug-and-play malware kits
Plug-and-play malware kits, such as RedLine Stealer and LummaC2, are ready-made attack tools designed for simplicity. They come pre-packaged with a malware builder, control panel, and documentation—no coding required.
RedLine, for example, steals credentials and crypto wallets, while LummaC2 includes evasion tools and real-time dashboards. These kits are sold openly on dark web forums or Telegram for under $300.
Their accessibility has turned cybercrime into a user-friendly enterprise.
For defenders, this poses a serious problem: A broader range of actors, including unskilled opportunists, can now launch targeted attacks with minimal effort and increasingly professional results.
DIY malware kits
DIY malware kits let attackers build their own malicious payloads from customizable templates. Tools like NjRAT and DarkCrystal Remote Access Trojan (DCRat) offer point-and-click interfaces, allowing even beginners to generate keyloggers, remote access trojans, or ransomware without writing code.
Some DIY kits are available for free, shared on underground forums, while others are sold with advanced features such as encryption. These kits offer more flexibility than plug-and-play options and are often harder to detect because each build can be unique.
The low barrier to entry has led to a surge in custom malware strains, complicating threat detection and attribution for security teams.
Subscription-based MaaS platforms
Subscription-based MaaS platforms operate similarly to legitimate enterprise SaaS tools, offering dashboards, regular updates, and customer support for as little as $40 per month.
Raccoon Stealer, which specializes in obtaining browser credentials and cryptocurrency wallets, is a prime example. For a monthly fee, subscribers gain access to a control panel, deployable malware, and support channels.
These services eliminate the need for technical expertise, and some even offer integrated delivery via phishing or exploit kits, enabling buyers to launch attacks with minimal effort. This model has turned cybercrime into a recurring-revenue business, expanding its reach and making it easier for amateurs to run professional-grade attacks.
Affiliate programs
Affiliate programs are the ransomware industry’s version of franchising. Groups like LockBit and DragonForce develop sophisticated ransomware payloads, then license them to affiliates who carry out the attacks.
Affiliates get a cut of ransom payments, while the core team handles development, negotiation support, and leak site infrastructure. This model scales quickly and shifts some of the legal risk from developers to operators.
LockBit’s sleek dashboards and DragonForce’s aggressive branding demonstrate the level of polish these operations have achieved. For defenders, it complicates attribution and takedown efforts. Dismantling one affiliate doesn’t stop the parent group or other copycats from continuing operations.
Botnet-as-a-service
Botnet-as-a-service (BaaS) enables criminals to rent access to networks of hijacked devices to conduct distributed denial of service (DDoS) attacks or spam campaigns. Clients pay per use, and can configure attack types, targets, and duration.
Platforms like Webstresser, which was taken down in 2018, paved the way for today’s Telegram-hosted BaaS offerings. Modern botnets often include Internet of Things (IoT) devices like cameras and routers, making them vast and resilient.
The as-a-service model has made DDoS attacks affordable and accessible, even for non-technical users. For defenders, it means they must prepare for high-volume attacks that can originate from thousands of geographically dispersed IPs in minutes.
Dropper and loader services
Often sold or rented out by cybercriminals, dropper and loader malware are both tools used to deliver malicious payloads. Each operates slightly differently. A dropper installs, or “drops,” another malicious program onto a victim’s device, often bundled within the dropper itself or downloaded after execution.
A loader is typically more advanced and designed to fetch and execute additional malware, usually from a remote server, after performing checks to avoid detection.
While droppers tend to be used in initial infections via phishing or malicious downloads, loaders are commonly part of multi-stage attacks, enabling threat actors to deploy malware, such as ransomware or spyware, on demand.
SmokeLoader is a common example. It can deploy ransomware, infostealers, or remote access tools once it has gained access to a system. For cybercriminals, these loaders act as delivery vehicles; for defenders, they represent a critical blind spot in attack chains.
Who’s selling malware-as-a-service and why?
Behind the growing market for off-the-shelf malware lies a thriving underground economy that mirrors the structure of legitimate tech startups, without the legality.
Malware developers aren’t just hobbyists or lone actors. Many operate as part of semi-professional teams, complete with product roadmaps, customer support channels, and marketing campaigns posted to forums and Telegram groups.
These sellers don’t typically carry out attacks themselves. Instead, they build and sell the tools, outsourcing the risk while reaping the financial rewards.
One reason is anonymity. Cryptocurrencies and end-to-end encrypted communication platforms allow developers to remain hidden, even as they generate substantial revenue. Meanwhile, decentralization makes the market hard to shut down. Even if one forum is seized or one tool exposed, others quickly take its place or are rebranded and relaunched.
There’s also a compelling risk-reward imbalance. Developing and selling malware can be lucrative, with prices ranging from $50 for a basic infostealer to thousands for full-featured ransomware kits. Yet, legal consequences are rare, especially for developers operating in jurisdictions with little appetite for prosecuting cybercrime.
This creates an environment where technical talent is incentivized to innovate on the offensive side.
For many, the motivation is simply opportunity. Selling malware is a fast, profitable, and low-risk endeavor. In this cybercrime ecosystem, it’s not the attacker in the network who profits most; it’s the developer who never has to leave their encrypted chat room.
Why MaaS works
This model is effective because it’s built to scale. The developers selling malware don’t just profit from one-off attacks; they create tools that anyone can use, again and again, across countless victims.
And it’s working.
The platforms they’ve built have become fully-fledged SaaS businesses, complete with subscription tiers, user-friendly dashboards, support channels, and regular updates.
This has fundamentally shifted the dynamics of cybercrime. By removing the technical barriers, MaaS has blurred the line between sophisticated threat actors and opportunistic amateurs. Today, someone with no coding experience can deploy malware that rivals the tools used by nation-state groups simply by buying the right service.
MaaS also enables low-tier actors to launch wide-reaching attacks for a relatively low upfront cost, and the financial upside is substantial. A single successful campaign can generate tens of thousands of dollars in cryptocurrency.
The result is a cybercrime ecosystem where professional-grade attacks no longer require professional skills. The tools do the work, the infrastructure is already in place, and the risk stays low, especially for developers who never need to touch a victim’s network.
For defenders, that’s the new challenge: Facing down attacks that may look advanced, but are powered by actors with little more than money, motivation, and a login to the right forum.
How Zero Trust can shut down malware-as-a-service
In a world where malware is as accessible as a streaming subscription, perimeter-based security is no longer sufficient.
When cybercriminals of any skill level can launch advanced attacks using rented infrastructure and pre-packaged tools, organizations can’t rely on firewalls, VPNs, or endpoint software alone. The threat is already on the inside, hidden in legitimate credentials, encrypted traffic, or trusted applications.
This is where Zero Trust comes in. Rather than assuming anything inside the network is safe, Zero Trust operates on a “never trust, always verify” model. Every device, user, and connection must continuously prove it belongs, whether it’s accessing email or a mission-critical system.
That means enforcing least-privilege access, using multi-factor authentication, monitoring behavior in real-time, and segmenting networks to contain breaches when they occur.
Zero Trust shifts the odds in the defender’s favor. In an environment where malware can be purchased and deployed in minutes, resilience depends on assuming a breach, rather than preventing it entirely.
Organizations that adopt Zero Trust can limit the blast radius of an attack, spot anomalies faster, and recover more effectively. In the age of MaaS, Zero Trust might be the only real chance you’ve got.
Further reading: How ThreatLocker can help you stop ransomware from ever executing.
