Matanbuchus 3.0 Malware

Matanbuchus is a notorious Malware-as-a-Service platform designed to deliver next-stage payloads such as Cobalt Strike beacons and ransomware. First promoted in February 2021 on Russian-speaking forums for $2,500, the malware quickly became a go-to choice for threat actors. Attackers have employed it in ClickFix-style campaigns, tricking users through legitimate yet compromised websites.

Delivery Tactics and Evolving Threat Vectors

The malware's distribution techniques have grown increasingly sophisticated. Initial campaigns relied heavily on phishing emails directing victims to malicious Google Drive links. Over time, attackers expanded their arsenal to include:

• Drive-by downloads from compromised sites
• Malicious MSI installers
• Malvertising campaigns

Matanbuchus has been observed deploying secondary payloads like DanaBot, QakBot, and Cobalt Strike, which are often used as stepping stones to ransomware infections.

Matanbuchus 3.0: Advanced Capabilities and Features

The latest iteration, Matanbuchus 3.0, introduces substantial enhancements to improve stealth and persistence. Key upgrades include:

• Advanced communication protocol techniques
• In-memory execution for stealth
• Enhanced obfuscation to evade detection
• Reverse shell support via CMD and PowerShell
• Ability to launch DLL, EXE, and shellcode payloads

This evolution underscores the malware's role in facilitating advanced, multi-stage attacks.

Real-World Exploitation: Social Engineering via Microsoft Teams

Researchers uncovered a July 2025 campaign targeting an unnamed company. Attackers impersonated IT help desk personnel during external Microsoft Teams calls, persuading employees to launch Quick Assist for remote access. This allowed them to execute a PowerShell script deploying Matanbuchus.

Such tactics mirror social engineering methods previously linked to the Black Basta ransomware group, indicating a growing overlap between loader and ransomware operations.

Under the Hood: Infection Chain and Persistence

Once victims run the provided script, an archive is downloaded. Inside are:

• A renamed Notepad++ updater (GUP)
• A modified XML configuration file
• A malicious DLL representing the loader

After execution, Matanbuchus collects system data, checks for security tools, and confirms privilege levels before transmitting details to its Command-and-Control (C2) server. Additional payloads are then delivered as MSI packages or executables. Persistence is achieved by creating scheduled tasks using COM objects and injecting shellcode, a technique that blends simplicity and sophistication.

Stealth and Control: Why It’s Dangerous

The loader supports advanced features, including WQL queries and remote commands to gather details on processes, services, and installed applications. It can execute system commands such as regsvr32, rundll32, msiexec, and even perform process hollowing, highlighting its flexibility.

Pricing and the Business Model Behind the Threat

This MaaS platform has seen its pricing skyrocket with its feature set:

• $10,000/month for the HTTPS version
• $15,000/month for the DNS version

Such costs reflect the malware's effectiveness and demand in the cybercrime ecosystem.

Matanbuchus and the Bigger Picture of MaaS Evolution

The latest version epitomizes the trend toward stealth-first loaders leveraging LOLBins, COM hijacking, and PowerShell stagers to remain undetected. Its abuse of collaboration tools like Microsoft Teams and Zoom further complicates enterprise security. Researchers emphasize integrating loader detection into attack surface management as these threats continue to evolve.