Written by the Center of Security Studies (KEMEA)

In the internet’s dark underworld, Malware-as-a-Service (MaaS) is a potent enabler of cybercriminal activity. Much like Software-as-a-Service (SaaS), MaaS offers malware services, know-how, and tools to anyone who pays, regardless tof heir level of tech-savviness. Actually, the less tech-savvy an aspiring cyber-criminal is, the better, for the provision of such services. The propagation of this sort of crime service has led, according to Darktrace, to a huge rise in malware attacks, with MaaS services responsible for 57% of all cyber threats in the second half of 2024.

The way that MaaS “companies” work is not different than any other online business: they offer either subscriptions or pay-per-use methods, and they provide criminals with malware kits, tools, and – as a proper business – customer support. Of course, all this is going down through anonymised payments. This underground economy is thus booming, lurking under detection thresholds.

One of the wildest examples out there is Emotet. It started off as just another banking Trojan, but then leveled up into a fully-blown MaaS operation. Basically, it let hackers piggyback on its infrastructure to spread ransomware and spyware. It got so out of hand that in 2021, Europol, alongside the FBI, teamed up for a massive takedown. Yet, even after that, Emotet made a comeback in 2022—proof that these MaaS setups are not only tough to kill, but built to bounce back. Clearly, the implications are severe. MaaS (and CaaS) not only lowers the barrier to entry for cybercriminals but also increases the sophistication of the attacks. These attacks are harder to detect and remove, and quite often bypass traditional security defenses.

Disrupting MaaS is a cybersecurity imperative. Coordinated international efforts to identify and dismantle infrastructure, prosecute developers and affiliates, and cut-off financial channels is of the utmost importance, albeit easier said than done. Governments must invest in cyber task forces, while businesses should adopt zero-trust architectures and cyber threat intelligence sharing. Public awareness campaigns can help individuals recognise and avoid phishing and malware scams. The fight against MaaS and CaaS is not only technical but strategic, legal, and societal. Cybercrime as a commodity is here to stay; thus, its disruption is critical to safeguarding our digital future.