An emerging malware-as-a-service (MaaS) operation Olymp Loader has been swiftly evolving and gaining popularity over the last few months, with claims of being fully undetectable by antivirus (AV) solutions, Outpost24 reported last week.The Olymp MaaS, which originally launched in June 2025 as a botnet tool, pivoted in August to a loader-as-a-service, enabling stealthy delivery of additional malware payloads.The loader malware is fully written in assembly language and heavily marketed as fully undetectable (FUD), with its seller “OLYMPO” touting low AV detection rates on VirusTotal.Frequent uploads of Olymp samples to VirusTotal, likely made by OLYMPO and their clients, allowed Outpost24 researchers to analyze the malware’s evolution over time.Early in its lifetime, Olymp Loader added built-in stealer modules, including a Telegram stealer, browser stealer and crypto stealer. The browsers stealer was noted to be based on an open-source stealer called BrowserSnatch, and the crypto stealer targets Exodus, Electrum, Atomic, Guarda, Wasabi, Monero, BitcoinCore and ZelCore cryptocurrency wallets.Olymp also supports custom 32-bit, 64-bit, .NET, Java and native executable payloads, with LummaC2 being the most common post-infection payload making up nearly half (46%) of observed samples, followed by WebRAT at 31% of sample volume.In late June, OLYMPO began offering personal builds with custom payloads built inside the loader for an extra cost and in late August it added a crypter, which is said to be its most-used feature. The MaaS reportedly plans to offer multi-service bundle in the future, including botnet, loader, crypter, installs service and file-scanning tool in the future.Olymp Loader is primarily advertised on HackForums and Telegram, with its official Telegram channel having nearly a hundred subscribers, according to Outpost24. The service has raised its price over time while adding new features, with prices ranging from $40 to $200 per stub depending on the level of personalization.To support its FUD status, Olymp employs detection evasion methods including code-cave injection into legitimate program, XOR encryption of modules and payloads, Windows Defender exclusions, code signing and a “unique formula for bypassing machine learning and heuristic analysis,” Outpost24 reported.Based on analysis of samples discovered on VirusTotal and across the web, Outpost24 found examples of Olymp Loader being disguised as legitimate software including Node.js, the PuTTY SSH client, OpenSSL library, Zoom video conferencing app and the “Classic Offensive” mod for the video game Counter-Strike. In one case, Olymp Loader was seemingly delivered as the second stage payload by Amadey malware.Outpost24 warns that Olymp Loader serves as an example of how MaaS operations lower the barrier of entry of threat actors and continually improve to appeal to new “customers.” The malware’s rapid evolution also emphasizes the importance of up-to-date threat intelligence to combat emerging and fast-moving threats.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds