Multi-stage payload delivery is an attack technique where malicious functionality is split into separate steps instead of arriving all at once. The first stage is often small, simple, or even benign-looking, and its job is to fetch, decode, or activate later stages that contain the real payload. This structure makes static analysis harder because each individual component may look harmless on its own.
In cyber security, this matters because it helps attackers evade scanners, sandbox limits, and simple signature-based detections. A marketplace skill, installer, or document macro may only drop a loader at first, then retrieve additional code from a remote server or unpack hidden modules at runtime. Defenders look for chained downloads, unusual process spawning, decoding behavior, and outbound connections after execution. Strong controls include behavioral monitoring, network filtering, sandboxing, and inspecting what a package does after it loads, not just what it contains at rest.



