Malware as a service explained: What it is and why businesses should take note

What is malware as a service (MaaS), why is it so popular with adversaries, and what can businesses do to protect themselves from this growing threat?

A stylized CGI image showing a bacteria-shaped malware with three red lights resembling traffic lights, against a dark backrgound with green, yellow, and red lights.
(Image credit: Getty Images)

Advanced attack capabilities are becoming accessible to almost anyone as adversaries offer platforms that can be used by cybercriminals with little expertise. A prime example of this is malware as a service (MaaS), an out-of-the-box solution similar to software as a service (SaaS) that allows even low skilled criminals to access tools to carry out sophisticated cyberattacks.

Over the last year, MaaS has been growing in popularity. Research shows there was a distinct surge in separate malware campaigns delivering the same payload in 2024, suggesting hackers are increasingly procuring tools from MaaS platforms.

Recent Darktrace research found the MaaS model was responsible for 57% of all cyber threats detected in the second half of 2024, up 17% from the first half of the year. Meanwhile, a report from WatchGuard reported an “astronomical surge” in malware threats in the third quarter of 2024, surpassing 420,000 – a 300% increase on the previous quarter’s figures and the largest quarterly rise it has ever observed.

So, what exactly is MaaS, why is it so popular with adversaries and what can businesses do to protect themselves against this growing threat?

MaaS – a subscription-based model

Much like SaaS, MaaS offers a subscription-based model. This sees technically skilled developers rent out malware to other cyber criminals, who use it for malicious purposes.

MaaS offers advanced capabilities to those lacking the technical expertise to develop the tools themselves, says Boris Cipot, senior security engineer at Black Duck. “This accessibility has driven rapid growth in the MaaS market, and it continues to expand at a significant pace.”

Because attackers no longer need to develop their own malware, the barriers to entry are much lower, says Nathaniel Jones, VP, security and AI strategy at Darktrace. “Criminals can operate attacks almost like a legitimate business, processing payments and creating subscription-based or one-off payment models.”

Like legitimate services, tools on offer also receive regular updates, incorporating plugins that exploit newly-discovered vulnerabilities.

MaaS offerings are extensive and can be “highly sophisticated and structured”, says Ian Porteous, regional director of security engineering and UK&I at Check Point Software. “Many include marketplace portals on the dark web, user-friendly interfaces for managing malware campaigns – and even technical support services.”

Another benefit of MaaS to cybercriminals is the anonymity it provides, with attackers able to use the malicious tools within the platform without revealing their identity or even operating under a specific name or group.

“Payments are often made via cryptocurrency, and with profit sharing, bonuses, promotions and other partner or associate benefits further confusing the financial transaction flows,” explains Rob Vann, CSO at Cyberfort.

It is also available relatively cheaply, depending on the package. Basic malware kits can typically be rented for around £80 ($108) to £400 ($543) per month, with more complex packages costing thousands. “Despite crackdowns, MaaS persists due to anonymized transactions on dark web marketplaces and evolving tactics that exploit weaker defences in vulnerable industries,” says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster university.

AI-enhanced MaaS

The growth of MaaS is a concern on its own. But experts warn malware kits are getting better at what they do due to technology such as AI. This is enabling attackers to create “adaptive malware that can evade traditional security measures”, says Matt Riley, data protection and information security officer at Sharp UK and Europe.

For example, AI tools could generate payloads designed to fool antivirus and machine learning-based detection models, disguising true intent by masquerading as legitimate code, says Vann.

Porteous points to OpenAI’s February 2025 report. “This highlights how North Korean-affiliated actors have used ChatGPT to research cyber intrusion techniques, develop PowerShell scripts for automation, and debug code for remote desktop protocol attacks. Given these findings, it is highly likely that MaaS operators are leveraging AI in similar ways.”

One of the most immediate impacts of AI on cyber crime is its ability to generate more convincing phishing attacks, says Porteous. “Generative AI can create highly personalized phishing emails that lack the grammatical errors and other red flags that security professionals have traditionally relied on to detect scams. MaaS platforms can integrate AI-powered tools to automate and scale these phishing campaigns with unprecedented efficiency.”

In the future, AI could be used for marketing and sales, too. Although there is no real evidence of this yet, there are indications that marketplaces are starting to utilize AI to drive interactions between the most lucrative vendors and partners, says Vann. “We expect to see the use of AI to build and leverage strong MaaS platforms, establish reputations for payments, and select partner relationships, special offers and other promotions to continue to drive financial performance in this area of cybercrime.”

What should businesses do about MaaS?

MaaS is being used more widely than ever before and it’s easy to see why. With this in mind, businesses should ensure they are in a solid position to defend against attacks utilising the criminal model.

It starts with good cyber hygiene. Make sure you do the basics well, says Vann. “Ensure that you aren’t the softest target, enforce multi factor authentication (MFA) and make sure security tooling is up to date and functioning correctly.”

Meanwhile, train employees with real world examples of deepfakes, AI-crafted phishing emails and other advanced techniques, he advises.

Layered cybersecurity strategies are “crucial”, adds Curran. “Advanced endpoint protection with AI is key to stopping smart malware. If a system does become compromised, network segmentation can limit the spread.”

Email filtering solutions should be in place and a zero trust security model will ensure no user or device is automatically trusted, say Curran. Investing in cyber threat intelligence and “a solid incident response plan” will help organizations to detect and mitigate threats faster, Curran adds.

At the same time, Curran emphasizes the importance of regularly backing up critical data offline. “This will ensure a swift and seamless recovery when – not if – an organization is attacked. This can even avoid the need to pay a ransom when critical systems are required back online quickly.”

Regularly updating and patching software to close vulnerabilities is “another vital step”, says Riley. “Cybercriminals often exploit outdated systems, and without these updates, even the most sophisticated defences can be bypassed.”

Kate O'Flaherty is a freelance journalist with well over a decade's experience covering cyber security and privacy for publications including Wired, Forbes, the Guardian, the Observer, Infosecurity Magazine and the Times. Within cyber security and privacy, her specialist areas include critical national infrastructure security, cyber warfare, application security and regulation in the UK and the US amid increasing data collection by big tech firms such as Facebook and Google. You can follow Kate on Twitter.