menu_book Concept

Pay-Per-Install (PPI)

Also known as: PPI, Install service

Pay-per-install (PPI) is a criminal service model where operators are paid to install other actors' malware on compromised machines. PPI networks are a major distribution channel for infostealers, enabling rapid, large-scale infections.

What is pay-per-install?

In a PPI model, one party controls access to many compromised or reachable machines and sells "installs" — running a customer's payload on those machines for a fee, often priced by volume and geography.

PPI and infostealers

Stealer operators frequently buy installs from PPI networks (often via loaders) to spread their malware quickly without running their own distribution. This decoupling of distribution from development accelerates the whole stealer economy.

How VantaPrism Tracks Pay-Per-Install (PPI)

VantaPrism captures the output of PPI-driven stealer campaigns — the stolen logs — regardless of how the infection was originally distributed.

Check Your Exposure arrow_forward

Frequently Asked Questions

How does pay-per-install spread infostealers?

expand_more

Stealer operators pay PPI networks to run their malware on machines those networks already control, enabling fast, large-scale distribution.

Related Terms

Loader Malware arrow_outward

Loader malware (a loader or dropper) is software whose job is to install other malware on a compromised device. Loade…

Malware-as-a-Service (MaaS) arrow_outward

Malware-as-a-service (MaaS) is a criminal business model in which malware authors rent or sell their software, infras…

Infostealer Malware arrow_outward

Infostealer malware is a category of malicious software designed to silently harvest sensitive data — passwords, sess…

Malvertising arrow_outward

Malvertising is the use of online advertising — including paid search ads — to distribute malware. Attackers buy ads…

← All Glossary Terms Last reviewed: June 2026