Why ‘malware as a service’ is becoming a serious problem
Malware builders are selling their services and contributed to a 300% increase in attacks at the end of 2024
There was a distinct surge in separate malware campaigns delivering the same payload last year, research shows, suggesting hackers are increasingly procuring tools from ‘malware as a service’ platforms.
The malware as a service model is becoming the dominant mode of cyber attacks as the cyber crime space continues to mature into a lucrative ecosystem for hackers for hire.
New research from Darktrace found the malware as a service (MaaS) model was responsible for 57% of all cyber threats detected in the second half of 2024, up 17% from the first half of the year.
A report from WatchGuard also warned it observed an “astronomical surge” in total malware threats in the third quarter of 2024, surpassing 420,000.
Total malware threats refers to the number of unique attempts detected on WatchGuard-protected endpoints with any duplicates - those with the same hash are not counted.
WatchGuard noted this represented a 300% increase on the previous quarter’s figures, which is the largest quarterly rise it has ever observed.
The report stated that one might conclude this surge was driven by an overall increase in new threats, but WatchGuard found that there was actually an “uncharacteristic decline in new threats”.
It noted that the results of its telemetry indicate there has been a “flood of homogenous spam-like malware arriving on endpoints, likely separate malware campaigns with the same payload”.
The report further stated that there are often numerous duplicate malware families from quarter to quarter, but this time there was only one: Glupteba.
WatchGuard described Glupteba as a multi-faceted malware with various capabilities, such as acting as a botnet, stealing information, mining cryptocurrency, and loading other malware onto the system.
Malware as a service rise propped up by phishing attacks
Phishing remains the dominant initial access vector used in these attacks, with Darktrace recording over 30.4 million phishing emails targeting its customers between December 2023 and 2024.
Just under two-fifths (38%) of these emails were targeted spear phishing attacks tailored for ‘high value individuals’.
Darktrace noted 32% of the detected phishing emails contained AI generated text that displayed some form of ‘linguistic complexity’ such as increased text volume, punctuation, and sentence length.
The sophistication of these techniques has blossomed, the report added, stating that 70% of the emails containing AI-enhanced phishing content passed the popular DMARC authentication system, which is used to verify the legitimacy of incoming emails.
Moreover, 55% of all the emails had successfully found their way through all of the target organization’s existing layers before being detected.
Attacks leveraging QR codes, or qishing, have become a growing trend in today’s threat landscape, exploiting the often-weaker security of mobile devices, and Darktrace detected just under a million (940,000) malicious QR codes in the emails it analyzed.
Legitimate service attacks are another key focus
The report also noted threat actors were often seen abusing legitimate services to lend authenticity to their scams. The researchers observed hackers exploiting a number of trusted services such as Microsoft Sharepoint, Zoom Docs, QuickBooks, HelloSign, and Adobe to disguise their sender address.
In addition, trusted service providers were also appropriated as parts of the threat actor’s attack infrastructure, Darktrace noted.
“Threat actors were frequently observed using redirects via legitimate services like Google to deliver malicious payloads, effectively evading detection,” the report said.
“Additionally,Darktrace noted instances where attackers hijacked email accounts, including Amazon Simple Email Service (SES) accounts, belonging to legitimate third parties, such as business partners and trusted vendors.”
RELATED WHITEPAPER
ITPro learned that living off trusted services (LoTS) attacks are becoming an increasingly important part of the threat actors arsenal as general security awareness among their targets grows.
A recent report from security firm Mimecast explained that while these tactics often make their attacks more complex, it helps attackers get around increased authentication checks on corporate accounts.
It added that major cloud providers whose services are often abused in these attacks, namely Google and Microsoft, have begun taking steps to root out the malicious use of their platforms in such attacks.
As a result, threat actors have been observed migrating to slightly smaller trusted services providers that they can use to lend authenticity to their attacks.
MORE FROM ITPRO
-
Salesforce targets telco gains with new agentic AI toolsNews Telecoms operators can draw on an array of pre-built agents to automate and streamline tasks
-
Four national compute resources launched for cutting-edge science and researchNews The new national compute centers will receive a total of £76 million in funding
-
A single compromised account gave hackers access to 1.2 million French banking recordsNews Ficoba has warned that “numerous” scams are already in circulation following the data breach
-
Starkiller: Cyber experts issue warning over new phishing kit that proxies real login pagesNews The Starkiller package offers monthly framework updates and documentation, meaning no technical ability is needed
-
‘They are able to move fast now’: AI is expanding attack surfaces – and hackers are looking to reap the same rewards as enterprises with the technologyNews Potent new malware strains, faster attack times, and the rise of shadow AI are causing havoc
-
Security experts warn Substack users to brace for phishing attacks after breachNews Substack CEO Christ Best confirmed the incident occurred in October 2025
-
Google issues warning over ShinyHunters-branded vishing campaignsNews Related groups are stealing data through voice phishing and fake credential harvesting websites
-
Hackers are using LLMs to generate malicious JavaScript in real time – and they’re going after web browsersNews Defenders advised to use runtime behavioral analysis to detect and block malicious activity at the point of execution, directly within the browser
-
Thousands of Microsoft Teams users are being targeted in a new phishing campaignNews Microsoft Teams users should be on the alert, according to researchers at Check Point
-
Microsoft warns of rising AitM phishing attacks on energy sectorNews The campaign abused SharePoint file sharing services to deliver phishing payloads and altered inbox rules to maintain persistence
