Platform09-Mar-26|12 min read

Loader-as-a-Service: The Industrialisation of Multi-Format Malware Delivery

When the delivery chain becomes a product, format complexity is a feature, not a bug

Definition:

Loader-as-a-Service (LaaS) is a subscription-based malware delivery model where the multi-format chain itself is the product. LaaS providers maintain, update, and operate the infrastructure that moves a customer's payload from initial phishing email through multiple file format transitions to execution on the target system. The payload operator never touches the delivery infrastructure.

Malware delivery used to be a craft. Each threat actor built their own loader, maintained their own infrastructure, and handled their own format transitions. If they wanted a phishing email that dropped a Word document that extracted a steganographic payload, they built every piece themselves. That model is dead. In 2025-2026, the delivery chain has become a commodity. Loader-as-a-Service providers sell subscription access to multi-format delivery infrastructure, complete with format chain options, geographic targeting, and detection-rate SLAs. The same infrastructure that delivers XWorm on Monday delivers AsyncRAT on Tuesday and AgentTesla on Wednesday. The delivery chain is the product. The payload is just a parameter.

From Tool to Service

The evolution follows a pattern familiar from legitimate software markets. First-generation loaders were standalone tools: a script or executable that an individual operator ran to deliver their payload. Second-generation loaders added configurable options: target selection, encoding choices, file format wrapping. Third-generation loaders are platforms: managed infrastructure with APIs, customer portals, and support channels.

Proofpoint's multi-year tracking of TA558 documents this transition. First identified in 2018 targeting Latin American hospitality organisations, the group expanded to deliver multiple malware families (AgentTesla, FormBook, Remcos, XWorm) through a consistent format chain infrastructure. Positive Technologies' 2024 SteganoAmor analysis showed the same email-to-Office-to-image delivery chain serving different payloads across campaigns. SEKOIA.IO's 2025 analysis of the Russian-speaking infostealer ecosystem documents a growing number of LaaS providers offering loader infrastructure as subscription services.

The LaaS Business Model

Underground marketplace research reveals pricing structures that mirror legitimate SaaS tiers. Delivery infrastructure is sold on weekly or monthly subscription terms, with pricing driven by three primary factors: format chain complexity, geographic targeting scope, and detection-rate guarantees. SEKOIA.IO's analysis of FakeBat documented pricing of $1,000/week to $5,000/month, providing a reference point for the broader market.

Key Examples
Basic
Format ChainEmail > single attachment (EXE/SCR)
Detection Rate GuaranteeNone
Geographic TargetingUntargeted
Approximate Monthly Cost$200-500
Standard
Format ChainEmail > Office doc > macro payload
Detection Rate GuaranteeBelow 30% on VirusTotal
Geographic TargetingRegion-level (NA/EU/APAC)
Approximate Monthly Cost$800-1,500
Premium
Format ChainEmail > Office > stego image > script
Detection Rate Guarantee<15% initial detection
Geographic TargetingCountry-level targeting
Approximate Monthly Cost$2,000-4,000
Enterprise
Format ChainCustom 4-5 format chain, rotating infrastructure
Detection Rate Guarantee<10%, 48hr re-pack SLA
Geographic TargetingOrganisation-level spearphishing
Approximate Monthly Cost$5,000-10,000+

The pricing correlation between format chain complexity and cost is not coincidental. Each additional format boundary requires specialised infrastructure: image generation pipelines for steganographic embedding, document template libraries for Office carriers, SMTP infrastructure for email delivery. LaaS providers invest in this infrastructure once and amortise it across customers. The economics favour the attacker at scale.

Shared Infrastructure, Diverse Payloads

Delivery-Payload DecouplingThe defining architectural feature of LaaS is the separation between delivery infrastructure and payload content. The delivery chain (email template, Office document, steganographic image, extraction script) remains constant across customers. Only the final encrypted payload blob changes. This decoupling is visible in campaign telemetry. Security researchers have documented cases where identical delivery chain structures served completely different final payloads across campaigns. The same email template and Office document structure delivers XWorm in one campaign, AsyncRAT in another, and Remcos in a third. Check Point's 2025-2026 commodity malware statistics confirm that the leading malware families increasingly share delivery infrastructure patterns. The delivery operator does not need to understand steganographic embedding or Office macro construction. They submit their compiled payload to the LaaS provider, and the infrastructure handles the rest.

Format Complexity as Competitive Advantage

In legitimate SaaS markets, features drive pricing. In the LaaS market, format boundaries drive pricing. More boundaries mean lower detection rates, and lower detection rates command premium subscriptions.

The economics are straightforward. Detection rates show a clear inverse correlation with format chain depth. The following estimates are derived from publicly available VirusTotal and sandbox detection data across multiple campaigns:

Key Examples
1 (direct attachment)
Format Boundaries0
Typical Initial DetectionHigh (majority of engines)
Relative EvasionBaseline
2 (email > document)
Format Boundaries1
Typical Initial DetectionModerate (macro/exploit detection)
Relative Evasion~2x evasion improvement
3 (email > doc > stego)
Format Boundaries2
Typical Initial DetectionLow (few engines follow chain)
Relative EvasionSignificant evasion advantage
4+ (full multi-format)
Format Boundaries3+
Typical Initial DetectionVery low (near-zero initial detection)
Relative EvasionMaximum evasion

Each additional format boundary roughly halves the detection rate. For LaaS providers, investing in a new format transition (adding steganographic capability, for example) directly translates to higher pricing power. The format boundary is the product differentiator.

The PhantomVAI Case Study

Unit 42's 2025 analysis of PhantomVAI reveals one of the most technically sophisticated active LaaS platforms. PhantomVAI operates as a Malware-as-a-Service loader delivering infostealers across multiple sectors including manufacturing, education, healthcare, and government.

PhantomVAI Technical ChainPhantomVAI's delivery chain uses multiple format boundaries with a custom marker system: 1. Spearphishing email with industry-specific lure document 2. DOCX with embedded macro that downloads a GIF image 3. GIF contains Base64-encoded DLL data delimited by custom '<<sudo_png>>' and '<<sudo_odt>>' markers 4. Extracted data is a .NET loader that downloads and executes the final infostealer (Katz Stealer) The marker system is significant because it is unique to PhantomVAI. Despite the 'png' in the marker name, the carrier files are GIFs. Standard steganographic extraction techniques (LSB, appended data, chunk-based) will not find the payload. The marker-based approach requires specific knowledge of PhantomVAI's embedding convention, making generic stego scanners ineffective. The platform is sold as a MaaS offering on underground forums, with the delivery chain infrastructure maintained by the PhantomVAI operators independently from the final payload.

Geopolitical Dimensions

LaaS providers are not uniformly distributed. SEKOIA.IO's research on the Russian-speaking infostealer ecosystem documents a concentration of loader and delivery services in Russian-language forums targeting Western organisations. Proofpoint's tracking of TA558 confirms Latin American operations primarily targeting regional organisations in Southern Europe and Latin America. ENISA's 2025 Threat Landscape Report and Europol's IOCTA 2025 both highlight the broader trend of cybercrime service specialisation and geographic clustering within criminal ecosystems.

The Russia-Ukraine conflict has had indirect effects on the cybercrime ecosystem. The fracturing of major ransomware groups (notably Conti in 2022) displaced experienced operators, some of whom have moved into service provision roles. This broader shift in the cybercrime labour market has contributed to the growth and professionalisation of LaaS offerings.

Impact on Detection Engineering

LaaS creates a fundamental challenge for signature-based detection. When delivery infrastructure rotates weekly, static signatures for document templates, image carriers, and email patterns expire before they can be deployed. The detection window shrinks from days to hours.

Behavioural detection catches the final payload but misses delivery attribution. An EDR alert on XWorm execution tells you what the payload does, not how it arrived. Without tracing the delivery chain, the same LaaS infrastructure continues operating against other targets. Detection without attribution is containment without prevention.

The attribution gap between delivery infrastructure and payload operators is the strategic consequence of LaaS. When one infrastructure serves multiple payload operators, blocking the payload stops one customer. Understanding and disrupting the delivery infrastructure stops all of them.

Recursive Container Analysis as Counter-Strategy

Following the format chain end-to-end enables both detection and attribution. The delivery chain fingerprint (specific email template structure, Office document generation patterns, steganographic embedding technique, extraction script style) is more stable than the payload itself. LaaS providers rotate payloads constantly but change their delivery infrastructure less frequently because it is expensive to rebuild.

Recursive container analysis, as implemented by platforms like KlaroSkope, traces these chains end-to-end: parsing the email, extracting the Office document, identifying the embedded image, extracting the steganographic payload, decrypting the content, and deobfuscating the final script. Each transition point preserves metadata that contributes to the delivery chain fingerprint. Two samples delivered through the same LaaS infrastructure will share chain characteristics even when their final payloads are completely different.

The Consolidation Thesis

The LaaS market is following the same consolidation pattern as legitimate SaaS. Early markets are fragmented with many small providers. Over time, providers with better infrastructure, lower detection rates, and more reliable service absorb competitors' customer bases.

Check Point's 2025-2026 commodity malware statistics show the leading five malware families (XWorm, AsyncRAT, AgentTesla, Remcos, FormBook) increasingly sharing delivery infrastructure. This convergence suggests a small number of LaaS providers serve the majority of commodity malware operations. For defenders, this is both a challenge (better-resourced adversary infrastructure) and an opportunity (fewer infrastructure fingerprints to track).

The implications for 2027 and beyond are structural. As LaaS matures, the delivery chain becomes more standardised, more resilient, and harder to disrupt through individual takedowns. Defenders must shift from payload-focused detection to infrastructure-focused disruption, targeting the delivery chains themselves rather than the payloads they carry.

Try it now --> klaroskope.com/submit - upload an email or container from a suspected LaaS chain and see KlaroSkope walk the email-to-document-to-image-to-script transitions automatically. The delivery-chain fingerprint, the embedded payload extraction, and the deobfuscated final stage are surfaced together, so attribution by chain stays possible regardless of which payload sits at the bottom.

Frequently Asked Questions

Q

What is Loader-as-a-Service?

Loader-as-a-Service (LaaS) is a subscription-based malware delivery model where providers sell access to multi-format delivery infrastructure. Customers submit their payload, and the LaaS provider handles the full delivery chain: email creation, document wrapping, steganographic embedding, and format transitions. The delivery chain is the product.
Q

How does LaaS differ from traditional malware distribution?

Traditional malware distribution requires each operator to build and maintain their own delivery infrastructure. LaaS decouples delivery from payload: a single delivery chain serves multiple customers with different payloads. This mirrors the SaaS model in legitimate software, with subscription pricing, SLAs, and customer portals.
Q

Which malware families use LaaS delivery?

XWorm, AsyncRAT, AgentTesla, Remcos, and FormBook are the most commonly delivered via LaaS infrastructure. Check Point's 2025-2026 reporting shows these families increasingly sharing delivery chains, suggesting a small number of LaaS providers serve the majority of commodity malware operations.
Q

Can format chain fingerprinting attribute LaaS providers?

Yes. Delivery chain fingerprints (email template structure, document generation patterns, steganographic technique, extraction script style) are more stable than payloads. LaaS providers rotate payloads frequently but change delivery infrastructure less often. KlaroSkope processes LaaS delivery chains through recursive container analysis, following email-to-Office-to-image-to-script transitions automatically to extract these fingerprints.
Q

What is the outlook for Loader-as-a-Service in 2027?

The LaaS market is consolidating. Fewer providers with better infrastructure will serve more customers, producing more standardised delivery chains. This creates better-resourced adversaries but also fewer unique infrastructure fingerprints to track. Defenders must shift from payload-focused detection to delivery-infrastructure-focused disruption.

Found this useful? Sharing is caring!

Ready to decode?

See KlaroSkope transform obfuscated scripts into actionable intelligence.

Try It Free