Short answer

Malware-as-a-Service (MaaS) is a business model in which infostealer developers rent their tools to other criminals through subscription plans. Most active infostealers in 2025, including Lumma, RedLine, and Raccoon, operate on this model. MaaS has made infostealer deployment accessible to anyone: no technical skills required, just a subscription and a distribution method.

How MaaS works

MaaS operators develop and maintain the malware, host command-and-control infrastructure, and provide a management panel where customers can configure campaigns, view stolen data, and download logs. Pricing typically ranges from $100 to $1,000 per month, depending on the stealer's capabilities and the level of support included.

Some MaaS platforms even offer customer support, feature updates, and documentation, directly mirroring legitimate SaaS businesses. For infostealers specifically, this means constant improvement in evasion techniques, new data targets, and faster exfiltration, making them increasingly difficult to detect.

Why MaaS drives the infostealer explosion

The MaaS model creates a flywheel effect:

• Lower barrier: anyone with cryptocurrency can deploy a sophisticated infostealer. No coding required.

• Rapid innovation: MaaS developers compete on features, better evasion, more data types, faster exfiltration. This drives constant improvement.

• Scale: thousands of operators can run campaigns simultaneously using the same malware, multiplying the volume of infections.

• Specialization: the ecosystem splits into roles: developers, distributors, access brokers, and end-users of stolen data. Each role optimizes its part.

Impact on organizations

MaaS means the volume of infostealer attacks will continue to grow. More operators, more campaigns, more stolen sessions. Defending against this requires monitoring the output of these campaigns: the stolen logs and active sessions that appear on criminal marketplaces. Passguard continuously monitors these criminal marketplaces, and alerts your organization the moment stolen sessions linked to your systems are listed for sale.