Hackers Use Microsoft Teams to Spread Matanbuchus 3.0 Malware

Cybersecurity experts are keeping a close eye on a new variant of Matanbuchus, a well-known malware loader, which now comes with enhancements specifically designed to make it stealthier and harder to detect.

For those unfamiliar, Matanbuchus is part of the malware-as-a-service (MaaS) model, meaning cybercriminals can "rent" it to distribute other, more dangerous threats. This loader serves as a gateway for heavier malicious payloads, such as the infamous Cobalt Strike beacons or even ransomware.

Matanbuchus 3.0: The Malware-as-a-Service Using Social Engineering and Evading Detection

First appearing on Russian cybercrime forums in February 2021 with an initial rental price of around $2,500, Matanbuchus has since evolved into a much more advanced and dangerous tool. It has been used in campaigns masquerading as services like ClickFix, tricking users who visit seemingly legitimate but compromised websites.

Unlike many other loaders that are distributed via spam emails or unauthorized mass downloads, Matanbuchus takes a much more selective approach. Its distribution often relies on direct social engineering tactics, where attackers manually manipulate users into executing the malware.

In some cases, it has even been linked to tactics used by groups that sell initial access to ransomware operators, making it a more strategic and targeted tool than traditional loaders.

The latest version, known as Matanbuchus 3.0, includes a series of technical improvements that make it even harder to detect and stop. Notable new capabilities include:

1. Enhanced communication protocols

2. Fully in-memory execution

3. Advanced obfuscation techniques

4. Support for reverse shells via CMD and PowerShell

5. Ability to execute payloads in DLL, EXE, and shellcode formats

A recent attack exploited a legitimate Windows feature, Quick Assist, in combination with fake calls through Microsoft Teams, posing as technical support personnel. Using this technique, attackers managed to convince company employees to allow remote access and execute a PowerShell script that deployed Matanbuchus on their systems.

This type of deception isn't new: similar tactics have been employed by groups linked to ransomware operations like Black Basta, where victims are carefully selected and persuaded to run seemingly innocent scripts.

In one such case, a modified Notepad++ installer was used alongside a malicious DLL, camouflaged to go unnoticed, which ultimately activated the loader.

Now, with its new 3.0 version, Matanbuchus is being marketed through much more expensive monthly subscriptions: around $10,000 for the HTTPS version and up to $15,000 for the DNS version, clearly indicating it's a tool aimed at more organized and well-funded groups.

Attack Flow Visualization (Source: Morphisec)

What Does Matanbuchus Do Once It Infects the System?

System Information Gathering

Once Matanbuchus is executed on a system, the first thing it does is collect key environment information. It scans active processes to detect security tools and checks whether it is running with administrative privileges. This step is essential to determine how deeply it can operate within the infected machine.

Connection to C2 Server and Download of Additional Payloads

After the initial reconnaissance, the malware communicates with its command and control (C2) server. From there, it receives new instructions or malicious files—typically in MSI or portable executable formats—that are downloaded to extend the attack's capabilities.

Persistence via Scheduled Tasks

Read more: How to detect and respond to a ransomware attack with TecnetProtect

Advanced Features of Matanbuchus 3.0

In-Memory Execution and Obfuscation

This new version operates primarily in memory, avoiding disk writes and making it significantly harder to trace. It also incorporates code obfuscation techniques that complicate both static and dynamic analysis by malware researchers.

Support for Advanced Commands and Shells

Matanbuchus 3.0 includes support for commands like regsvr32, rundll32, and msiexec, as well as reverse CMD and PowerShell shells. This enables it to perform advanced tasks on the compromised system without raising suspicion.

It can also execute WQL (Windows Query Language) to query system information and carry out automated or remote actions that are hard to distinguish from normal user or operating system activity.

Use of LOLBins and Evasion Techniques

Following the current trend among sophisticated malware, this version leverages LOLBins (Living-off-the-Land Binaries)—legitimate Windows binaries used maliciously. Alongside COM object hijacking and PowerShell scripts, these techniques allow it to stay under the radar of many traditional security solutions.

Why Matanbuchus Poses a Threat to Businesses

With its ability to execute multiple payload types, evade detection, and maintain silent persistence, Matanbuchus 3.0 ranks among the most dangerous loaders in today’s threat landscape. Moreover, its malware-as-a-service (MaaS) model means even attackers with limited technical skills can use it, expanding its reach and making it accessible to almost anyone in the cybercriminal ecosystem.

Threat analysts are increasingly including it in their attack surface management strategies, as it is becoming common in targeted campaigns that combine initial access, lateral movement, and ransomware deployment.

Against such advanced threats, businesses need cybersecurity solutions that not only detect malware but also prevent file encryption and protect business continuity. Platforms like TecnetProtect offer comprehensive defense, combining secure backups, behavior-based detection, and real-time ransomware protection—helping organizations recover quickly even if the malware breaches initial defenses.

Having a solution like TecnetProtect enables companies not only to respond to incidents but also to proactively guard against common attack vectors, such as loaders like Matanbuchus, and keep their critical infrastructure secure.