More and more often, you’ve probably come across acronyms like RaaS, MaaS, IaaS. Different abbreviations to express a simple concept: even malware has effectively become a product—a service.

This is because, while the dark web continues to serve as the gateway to illicit activities, among all its offerings, the black market for malware is rapidly rising. Malicious software designed to steal, destroy, or control information is now accessible to anyone—even those with minimal technical skills—thanks to increasingly sophisticated and service-oriented distribution models.

In this article, we analyze the five most sold malware currently circulating in underground marketplaces, explaining what they do, how much they cost, and why they represent a growing and concrete threat.


Disclaimer: This content is for informational and educational purposes only. We do not promote or support the use or purchase of malicious software in any way.



1. RedLine Stealer

  • Category: Infostealer
  • Price: $100 – $150 one-time
  • Description: RedLine is one of the longest-lasting and most widespread malware in the infostealer category. It steals a wide range of data: browser-stored credentials, cookies, browsing history, cryptocurrency wallets, and even operating system configurations.
  • Distribution: Primarily spreads through phishing campaigns, compromised websites, and counterfeit software often disguised as cracks or free utilities.
  • Features: Its intuitive management interface and available documentation make it a popular choice even for novice malicious actors. Moreover, its code has been reused and modified multiple times to create increasingly evasive variants.
  • Evolution: RedLine has adapted over time to new detection techniques, becoming progressively stealthier. Recent versions use advanced obfuscation techniques and encrypted communication with command-and-control (C2) servers.



2. Raccoon Stealer v2

  • Category: Infostealer-as-a-Service (IaaS)
  • Price: $75/month
  • Description: Raccoon Stealer gained popularity as a malicious subscription-based service. After a pause due to the arrest of one of its operators in 2022, the malware returned in 2023 with a new version, even more effective and modular.
  • Distribution: Mainly spread through malspam campaigns and fraudulent downloads, often used in targeted attacks against end-users and small businesses.
  • Features: Beyond its versatility, what makes Raccoon lethal is its ease of use. Anyone can access it and start collecting sensitive data in just a few hours. Its infrastructure is constantly updated and supported by an underground developer community.
  • Capabilities: Supports over 60 applications, including browsers, FTP clients, and crypto wallets. It can automatically exfiltrate stolen data to remote servers via HTTP or Telegram.



3. LummaC2 Stealer

  • Category: Modular Infostealer
  • Price: $250 – $300
  • Description: Debuting in 2024, LummaC2 quickly drew attention for its evasive capabilities. It uses encryption and anti-debugging techniques that make it very difficult to analyze, even for experienced researchers.
  • Distribution: Typically delivered through multistage droppers, often hidden in software bundles circulated on Telegram channels and dark web forums. In some cases, SEO poisoning campaigns have been observed.
  • Features: Not only does it collect significant amounts of data, but it can also self-update and change behavior based on the target environment. This makes it especially suitable for prolonged and targeted attacks.
  • Modularity: Can include additional modules for persistence, screenshotting, and WebSocket exfiltration, making it a complete tool in the hands of attackers.



4. XWorm

  • Category: RAT / Infostealer / DDoS Tool
  • Price: $300 – $500
  • Description: Written in .NET, XWorm is a highly adaptable multipurpose threat. It combines remote access tool (RAT) features, data theft capabilities, and offensive functions like DDoS.
  • Distribution: Typically distributed within toolkits sold on underground forums. Some variants are bundled with commercial crypters that enhance resistance to analysis.
  • Features: Thanks to its modular architecture, XWorm is ideal for actors wanting to manage complex campaigns from a single tool. It can be easily customized through scripts and plug-ins.
  • Advanced Capabilities: Supports keylogging, remote desktop control, file download/upload, and use of SOCKS proxies. Some versions even integrate modules to extract credentials from enterprise software.



5. BlackGuard

  • Category: Infostealer
  • Price: $80 – $150
  • Description: A cheaper alternative to RedLine, BlackGuard is often the entry-level malware for rookie cybercriminals. Despite its low price, it’s extremely effective at stealing data.
  • Distribution: Circulates widely, including in cracked versions, making it even more accessible. Automated campaigns facilitate its large-scale spread.
  • Features: Its low cost further lowers the barrier to entry for cybercrime. The malware can extract data from browsers, VPNs, crypto wallets, and messaging apps like Telegram and Discord.
  • Additional Features: Includes screenshotting, sandbox evasion, and clipboard monitoring (e.g., for crypto wallets). In unprotected corporate environments, it can cause severe data breaches.



Market Observations

The malware landscape has changed dramatically. Today, the dark web functions like an e-commerce platform: there are detailed product descriptions, user reviews, customer support, and even discounts for bulk purchases. Malware is offered in bundles with crypters, loaders, and control panels, and is often regularly updated to avoid detection.

This evolution has given rise to the concept of Malware-as-a-Service (MaaS), enabling even low-skilled actors to launch large-scale attacks. Furthermore, cryptocurrency payments and the anonymity provided by networks like Tor make it extremely difficult to trace the perpetrators.



How to Defend Yourself

Protecting against these malware threats requires a multilayered approach:

  • Advanced EDR Solutions: Use Endpoint Detection and Response tools with behavioral analysis features.
  • Continuous Monitoring: Implement SIEM systems to analyze logs and anomalies in real time.
  • Staff Training: Users remain the weakest link. Investing in regular training on phishing and social engineering is crucial.
  • Application Isolation: Use sandboxes and virtualization to test suspicious applications in controlled environments.
  • Constant Updates: Keeping operating systems, software, and antivirus tools up to date drastically reduces the risk of compromise.



Conclusion

Malware is no longer a weapon exclusive to APT groups or professional hackers. Thanks to the rise of criminal as-a-service models, today anyone with $100, an internet connection, and a Reddit guide can become a cybercriminal. The barrier to entry has lowered—but the consequences remain serious and often devastating, especially for small businesses and unprepared users.