Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
Underground Malware Marketplaces
Feb 13, 2018

On message boards and dark web marketplaces, vendors offer everything from custom malware to on-demand distributed-denial-of-service (DDoS) attacks. Hidden tools to track someone’s every online move or access to their Instagram account? Weaponized exploits for extortion and espionage? The computing power of thousands of hacked “zombie” computers? It’s all available for the right price. In this article we’ll take a walk through the cybercrime black market to see what’s for sale.


Keystroke Tracking and Instagram Hacking

At the low end of the market are tools for individuals: keyloggers, password stealers, and social media hacking-as-a-service. For as little as $10, the unscrupulous can acquire a keylogger that captures every password, URL, and private message typed on a computer.




For $40, a product called Multihacker offers guaranteed access to the social media of your friends, family, exes, or enemies.




The pseudonymous seller touts hundreds of “vouches” from satisfied customers.




For the aspiring cybercriminal, partnership in a password “recovery” product is available to the highest bidder, starting at $75.




Quick cash without technical expertise? Dozens of sites on the dark web advertise freshly-cloned credit cards and hacked PayPal accounts for sale.



Exploit Kits and Malware Generators

Have your own malicious software ready to go? Office Exploit Builder is a slickly-branded app that will embed your code into a Microsoft Office document for guaranteed FUD (Fully UnDetectable) delivery.



Features include a user-friendly interface, fake error messages, anti-analysis routines, and macro-less execution.




Pricing starts at $70 for the “Starter” version, and goes up to $130 for the “Professional” version, which includes macro-less execution and a Fully UnDetectable Crypter.image14.png


Office Exploit Builder’s success has spawned an entire marketplace of knockoffs and clones, such as Silent Hunter Office Exploit.




Another seller will weaponize the EternalBlue vulnerabilities made famous by the WannaCry attack with your choice of malicious payload.




Hacking as a Service

On the dark web, several similarly-worded sites advertise a hacker for hire who, for prices starting at €200, will change university grades, hack a website, or destroy someone’s life.




Another seller offers RATs (Remote Access Tools), botnets and various viruses and ransomware.




Busy cybercriminals can buy access to pre-hacked machines from the Web Shells Market.




For malware authors, there are paid distribution networks and bots available to help spread their infection.






Holiday Sales and 24/7 Support

Like normal retailers, malware and hacking-as-a-service vendors offer seasonal discounts and promotions to entice buyers. Need to inflate your social media following? Wait for the holiday sales to pick up fake followers for at half-price.




For the less-technical cybercriminal, sellers boast round-the-clock support to ensure a successful infection.




Caveat Emptor

Is there honor among cybercriminals? It’s not hard to find disgruntled dark web buyers who were conned by the offer of cheap drugs, guns, or untraceable cash. We tested malware-laden documents generated by Office Exploit Builder and both Sky ATP and Cyphort (now a Juniper company) easily detected the threats.




For more details about the full range of threat protection offered by Sky ATP and Cyphort, see for our on-premise appliances and for our cloud-based threat prevention service.