Just as the legitimate software industry realized that selling ongoing services was more profitable and sustainable than selling one-time licenses, cybercriminal syndicates have adopted the subscription economy. This creates an interconnected supply chain of criminal vendors that specialize in different components of the kill chain. Operators focus on creating and maintaining the malware, while affiliates rent these tools to execute attacks.

Subscription and licensing

Cybercrime-as-a-service operators use a few different models:

• Monthly and annual subscriptions: Common for "volume" malware such as info-stealers, keyloggers, and phishing kits. Affiliates pay a flat recurring fee (typically $150–$1,000 per month) to access the malware builder, control panel, and regular updates. 

• Lifetime licenses: A one-time fee, often seen with lower-tier tools or to promote the initial launch of a new malware strain.

• Affiliate revenue share: The standard for high-stakes Ransomware-as-a-Service (RaaS). Instead of an upfront fee, the model relies on profit-sharing. Affiliates keep the bulk of the ransom (70%–90%), while the core RaaS operator takes the rest. The operator only gets paid if the affiliate is successful, incentivizing high-quality, undetectable ransomware. 

Customer experience

Because underground cybercrime services are a competitive market, providing the best customer experience is crucial to standing out. The top-tier MaaS operators provide enterprise-quality training materials backed by 24/7 customer support, usually through Telegram channels or dark web forums. The dark web’s “arbitration courts” further hold operators accountable

The MaaS market features operators at nearly every step of the kill chain, substantially lowering the barrier to entry for affiliates. Malware-as-a-service examples include:

Initial Access Brokers (IABs)

IABs specialize in breaching corporate networks and selling the “keys to the castle,” such as remote desktop protocol (RDP) credentials, VPN accounts, or web shells installed on compromised servers. Pricing is often based on the target’s annual revenue, location, and level of privileges. IABs have dramatically sped up the tempo of cyberattacks, giving defenders less time to detect intrusions before impact.

Loaders and droppers

Loaders are the delivery trucks of the MaaS world, malware designed to gain a foothold on a system, establish persistence, and deploy additional payloads. Pikabot, the successor to Qakbot, has become a go-to tool for distributing ransomware. Typically executed via malicious email attachments, Pikabot establishes a connection to a command and control (C2) server, where it waits to deploy secondary payloads. 

Info-stealers

Info-stealers are malicious programs that harvest sensitive data, primarily from browsers, including passwords, autofill information, and, most critically, session cookies. These logs are sold in bulk and are often a pathway to high-impact breaches, allowing attackers to bypass MFA to access corporate networks. Last year, the number of info-stealers delivered via phishing shot up 84%.

Phishing-as-a-Service (PhaaS)

Phishing has evolved from simple credential-harvesting sites to sophisticated adversary-in-the-middle (AiTM) platforms that are capable of bypassing traditional MFA in real time. Platforms like Tycoon 2FA send victims to a proxy site that looks identical to a legitimate login page (e.g., Microsoft 365). The victim enters their credentials, which are relayed to the real service. This triggers the MFA process, which is similarly intercepted, allowing the attacker to hijack the session. 

For a monthly fee, the affiliate gains access to hosted infrastructure, customizable templates, and a dashboard to manage stolen sessions.

Ransomware-as-a-Service (RaaS) families

Despite an increasing number of organizations refusing to pay ransoms, RaaS is among the most financially destructive segments of the MaaS economy, with the average cost of a ransomware breach at $5.08 million (not including the ransom). 

The explosive growth of malware-as-a-service is thanks to structural advantages that make it scalable, resilient, and hugely profitable. MaaS has democratized cybercrime. Hackers no longer need a deep technical knowledge of coding, networking, cryptography, and exploit development. With an RaaS subscription and a list of compromised RDP credentials, a "script kiddie" with no coding skills can launch an enterprise-grade attack within hours. 

Additionally, the underground’s philosophy of shared intelligence has helped level up a generation of cybercriminals, with leaked Conti playbooks and LockBit manuals providing a masterclass.

Competition between fellow operators and with the cybersecurity community also breeds constant updates. MaaS operators must continually innovate to evade detection and offer an edge that retains subscribers. 

With the promise of a serious return on investment, the MaaS ecosystem continues to draw new actors. When a $500 investment in a phish kit and IAB access could earn a six- or seven-figure payday, the appeal of MaaS is obvious.

MaaS cybersecurity requires a shift away from traditional perimeter defense. Organizations must assume breach and focus on rapid detection, containment, and resilience. 

Identity protections

With the rise of AiTM phishing and info-stealers, protecting user identity has become a critical first line of defense. Traditional MFA methods (e.g., SMS, push notifications) are vulnerable to proxy attacks. Organizations should adopt FIDO2/WebAuthn standards for phishing-resistant MFA.

Identity providers should be configured to enforce strict conditional access. Policies that restrict access based on device health (compliant/managed devices), geolocation, and impossible travel can prevent an attacker from using a stolen session cookie. Identity threat detection and response (ITDR) can help catch identity-based threats in real time.

Endpoint detection and response (EDR)

Operators are using AI to write polymorphic ransomware that adapts to evade antivirus software. EDR guards against this by monitoring behavior rather than file hashes. These tools can detect suspicious process relationships that are used by loaders like Pikabot and automatically terminate them. 

SIEM 

Security information and event management (SIEM) plays a crucial role in stitching together signals from across devices, applications, etc. on your network to identify complex, multi-stage attacks.  For example, detecting VPN logins from a new source that is on a known hacker threat intel list, followed by unusual activity on an endpoint. 

Takedown coordination

Law enforcement operations play a vital role in disrupting the MaaS ecosystem. Operations like the FBI's "Duck Hunt," which dismantled the Qakbot infrastructure, disrupt the supply chain by seizing servers and redirecting botnet traffic. While these disruptions are often temporary, they force adversaries to rebuild infrastructure, increasing their operational costs and friction. 

Incident Response tabletop drills

Malware-as-a-service has armed every bad actor with enterprise-grade hacking abilities, rapidly accelerating attacks, and fueling the ransomware boom. Huntress is the MaaS cybersecurity platform designed to disrupt MaaS kill chains with identity, endpoint, and log monitoring—all under a 24/7 AI-assisted SOC.