Understanding Malware-as-a-Service

UNDERSTANDING MALWARE-AS-A-SERVICE

Money is the root of all evil, including cybercrime. Thus, it was inevitable that malware creators would one day begin not only to distribute malicious programs themselves, but also to sell them to less technically proficient attackers, thereby lowering the threshold for entering the cybercriminal community. The Malware-as-a-Service (MaaS) business model emerged as a result of this, allowing malware developers to share the spoils of affiliate attacks and lowering the bar even further. We have analysed how MaaS is organized, which malware is most often distributed through this model, and how the MaaS market depends on external events.

Results of the research

As per studies from various sources, including the dark web, identified 97 families spread by the MaaS model from 2015 and broke these down into five categories by purpose: ransomware, infostealers, loaders, backdoors, and botnets.
As expected, most of the malware families spread by MaaS were ransomware (58%), infostealers comprised (24%), and the remaining (18%) were split between botnets, loaders, and backdoors.

Results of the research

Despite the fact that most of the malware families detected were ransomware, the most frequently mentioned families in dark web communities were infostealers. Ransomware ranks second in terms of activity on the dark web, showing an increase since 2021. At the same time, the total number of mentions of botnets, backdoors, and loaders is gradually decreasing.

MaaS terminology and operating pattern

Malefactors providing MaaS are commonly referred to as operators. The customer using the service is called an affiliate, and the service itself is called an affiliate program. We have studied many MaaS advertisements, identifying eight components inherent in this model of malware distribution. A MaaS operator is typically a team consisting of several people with distinct roles.
For each of the five categories of malware, we have reviewed in detail the different stages of participation in an affiliate program, from joining in to achieving the attackers’ final goal. We have found out what is included in the service provided by the operators, how the attackers interact with one another, and what third-party help they use. Each link in this chain is well thought out, and each participant has a role to play.

MaaS terminology and operating pattern

Cybercriminals often use YouTube to spread infostealers. They hack into users’ accounts and upload videos with crack ads and instructions on how to hack various programs. In the case of MaaS infostealers, distribution relies on novice attackers, traffers, hired by affiliates. In some cases, it is possible to de-anonymize a traffer by having only a sample of the malware they distribute.

Table of Contents

If you have questions, reach out to us.

See Relevant Blogs

Managed IT Services vs Unmanaged IT: True Cost

An executive evaluation of the operational vulnerabilities and financial traps embedded in reactive infrastructure models. Discover how proactive data orchestration and structured support frameworks mitigate downtime, optimize engineering capital, and

real cost in it services

The True Cost of Hiring IT Talent in 2026

An empirical evaluation of the escalating recruitment economics, velocity gaps, and attrition metrics stalling modern enterprise pipelines. Discover how proactive talent orchestration transforms variable staffing overhead into a sustainable operational

complex healthcare workflows

Why Off-the-Shelf Software Fails Complex  Healthcare Workflows

An executive evaluation of the operational limitations inherent to rigid software as a service (SaaS) products in clinical environments. Discover how custom digital architecture eliminates administrative waste, patches technical debt, and scales clinical delivery.  The commercial