Olymp Loader: New Assembly-Based MaaS Is a Turnkey Solution for Low-Tier Cybercriminals

A new Malware-as-a-Service (MaaS) offering, dubbed Olymp Loader, is rapidly gaining traction in underground markets. First spotted in June 2025, the project has evolved from a botnet prototype into a fully fledged loader and crypter platform, catering to low- and mid-tier cybercriminals.

According to Outpost24, “Olymp Loader is a Malware-as-a-Service (MaaS) advertised on underground forums and Telegram since June 5, 2025. The seller, ‘OLYMPO’, presents Olymp Loader as fully written in assembly language and frequently markets it as FUD (Fully UnDetectable).”

Initially branded “Olymp Botnet,” the tool dropped centralized C2 functionality when its web developer left, pivoting instead to a loader and crypter focus. OLYMPO claims to be a team of three developers with over a decade of assembly programming experience.

Olymp Loader is marketed with a rich feature set designed to evade defenses and maximize persistence. The report highlights:

• Implemented fully in assembly language.
• Payload loader support: 32-bit, 64-bit, .NET, Java, and native malware payloads.
• Binary size: Weight from 12 megabytes to 70 megabytes, depending on the legitimate program used for injection.
• Shellcode: Unique shellcode initialization, modifiable to add/remove features.
• Persistence: Auto-run functionality.
• Privilege escalation: Aggressive privilege escalation approach through UAC-Flood.
• AV interaction: Adds the executable to Windows Defender exclusions.
• Obfuscation: Deep XOR encryption of modules and client payload.
• Detection evasion: Unique formula for bypassing machine learning and heuristic analysis.
• Code signing: All modules and loader stub are signed with a certificate.
• LoadPE method (x86): compatibility advertised for LummaC2, StealC and other native stealers that support it, using code-cave injection in legitimate programs.

Pricing ranges from $50 for a classic stub to $200 for unique stubs with personal injection routines, underscoring the professionalized service model.

Outpost24 researchers observed multiple distribution vectors:

• Fake Node.js installers uploaded to GitHub repositories.
• Abuse of Pay-Per-Install (PPI) services, with Amadey acting as a delivery stage.
• Malicious executables disguised as PuTTY, OpenSSL, Zoom, Classic Offensive, and other legitimate tools.
• Impersonation of well-known brands like NodeJS, CapCut, SumatraPDF, and PeaZip, complete with borrowed certificates and spoofed icons.

Once deployed, Olymp Loader serves as a launchpad for commodity malware. The report notes, “46% of samples delivered LummaC2, 31% distributed executables classified as WebRAT, 15% delivered QasarRAT, and 8% were associated with Raccoon.”

Olymp also features built-in stealer modules, including browser stealers, Telegram stealers, and crypto wallet stealers. One such module, “tgsteal.py,” terminates Telegram processes, zips local data with screenshots, and exfiltrates it via proxy.

Outpost24 warns that OLYMPO’s ambitions extend far beyond a loader. “OLYMPO’s offerings have changed frequently: it began as a botnet concept (‘Olymp Botnet’), then pivoted to Olymp Loader, and by August 2025 focused on crypter functionality. The malware seller has published a roadmap that treats Olymp as a bundle comprising Olymp Botnet, Olymp Loader, Olymp Crypter, an installs service, and a file-scanning tool for antivirus testing.”

This bundled crimeware stack lowers the entry barrier for inexperienced attackers, compressing the timeline between tool release and real-world exploitation.

Olymp Loader exemplifies the industrialization of cybercrime, where malware is sold with professional support, feature updates, and marketing stunts. By offering loader, crypter, and stealer modules in one package, OLYMPO is shaping Olymp into a turnkey MaaS ecosystem poised to accelerate the pace of commodity malware campaigns worldwide.

Related Posts:

• HORUS Protector: The New Undetectable Malware Crypter Threatening Cybersecurity
• Ghost Crypt & PureRAT: New Stealthy Malware Targets Accounting Firm via “Process Hypnosis”
• Evolving Cybercrime: Inside the Russian-Speaking Underground