Cybercrime has evolved into a subscription-based economy where services like phishing, OTP bots, infostealer data feeds, initial access, and advanced malware are rented on pay-as-you-go models, lowering the barrier to entry for low-skill attackers. Notable named services and tools in the article include SpamGPT, MatrixPDF, Atroposia, and Telegram-based OTP bots. #SpamGPT #MatrixPDF #Atroposia #TelegramOTP
Keypoints
- Phishing-as-a-service (PhaaS) provides turnkey phishing platforms with ongoing updates, anti-detection tweaks, AI integration (e.g., SpamGPT), and customer support, enabling novices to run professional campaigns.
- Telegram-based bots and channels offer subscription social-engineering tools—OTP capture bots, call spoofing, SIM-swap services, and bulk SMS—priced with SaaS-like tiers for on-demand use.
- Infostealer marketplaces aggregate stolen logs into searchable, subscription-style feeds, letting buyers filter stolen credentials by geography, OS, malware family, or domain.
- Initial access brokers (IABs) commoditize network access by selling or leasing validated footholds (RDP, VPN creds, web shells) with tiered pricing, proofs, and customer support.
- Advanced malware and tooling (RATs, builders, exploit kits) are offered on monthly plans—examples include Atroposia and MatrixPDF—making high-end capabilities affordable to low-skill actors.
- The subscription model reduces technical and financial barriers for criminals, turning once-fragmented services into an on-demand shadow SaaS ecosystem.
- Defensive recommendations include automating detection playbooks, rotating credentials regularly, and enforcing least privilege to counter scalable, repeatable attacks.
MITRE Techniques
- [T1566] Phishing – PhaaS platforms create convincing phishing pages and send bulk emails, enabling subscription-based phishing campaigns (“turnkey phishing platforms that handle everything from creating convincing pages to sending bulk emails”).
- [T1204] User Execution – Malicious document builders like MatrixPDF weaponize PDFs to trick users into interacting with fake overlays or redirects (“turn ordinary PDFs into weaponized lures (adding fake login overlays, redirects, etc.)”).
- [T1402] Domain Account Compromise (credential harvesting) – Infostealer logs marketplaces provide searchable stolen credentials and login data for buyers (“aggregate millions of infostealer malware logs and present them via web interfaces…search and filter stolen login data”).
- [T1078] Valid Accounts – Initial access brokers sell or lease usable credentials and access (RDP, VPN) allowing attackers to log in rather than break in (“specialize in obtaining footholds…through stolen VPN credentials, compromised RDP servers, web shell backdoors”).
- [T1529] System Network Connections Discovery / TA0001 (Impact) – RATs like Atroposia provide remote desktop control and credential theft to maintain persistent remote access (“feature-packed RAT that offers hidden desktop control, credential theft, fileless attacks, etc.”).
- [T1406] Supply Chain Compromise / Third-party Services (adversary-in-the-middle service use) – Use of Telegram bots and APIs to deliver subscription-based social engineering and fraud services (“leveraging Telegram’s API as the backbone for subscription-based criminal tools…OTP bots…call spoofing, voice prompts, and code capture”).
Indicators of Compromise
- [Tool/Service names] Mentioned services and tools – SpamGPT, MatrixPDF, Atroposia, Telegram OTP bots (used as phishing/spam tools and RATs).
- [Service Pricing / Access Details] Context for subscription access – Atroposia pricing examples ($200/month, $500 for 3 months), Telegram OTP bot pricing (~$70/week, $150/month) indicating service availability and tiers.
- [Artifact Types] Malicious artifacts and feeds – infostealer logs and stolen credential databases (searchable by domain, OS, malware family) – example: marketplaces offering searchable stolen login data, and “millions of infostealer malware logs”.
- [Access Types] Compromised access examples – stolen VPN credentials, compromised RDP servers, web shell backdoors – used by initial access brokers to sell or lease network access.
Read more: https://www.varonis.com/blog/cybercrime-subscription-business