Cybersecurity experts are keeping a close eye on a new variant of Matanbuchus, a well-known malware loader, which now comes with enhancements specifically designed to make it stealthier and harder to detect.
For those unfamiliar, Matanbuchus is part of the malware-as-a-service (MaaS) model, meaning cybercriminals can "rent" it to distribute other, more dangerous threats. This loader serves as a gateway for heavier malicious payloads, such as the infamous Cobalt Strike beacons or even ransomware.
First appearing on Russian cybercrime forums in February 2021 with an initial rental price of around $2,500, Matanbuchus has since evolved into a much more advanced and dangerous tool. It has been used in campaigns masquerading as services like ClickFix, tricking users who visit seemingly legitimate but compromised websites.
Unlike many other loaders that are distributed via spam emails or unauthorized mass downloads, Matanbuchus takes a much more selective approach. Its distribution often relies on direct social engineering tactics, where attackers manually manipulate users into executing the malware.
In some cases, it has even been linked to tactics used by groups that sell initial access to ransomware operators, making it a more strategic and targeted tool than traditional loaders.
The latest version, known as Matanbuchus 3.0, includes a series of technical improvements that make it even harder to detect and stop. Notable new capabilities include:
Enhanced communication protocols
Fully in-memory execution
Advanced obfuscation techniques
Support for reverse shells via CMD and PowerShell
Ability to execute payloads in DLL, EXE, and shellcode formats
A recent attack exploited a legitimate Windows feature, Quick Assist, in combination with fake calls through Microsoft Teams, posing as technical support personnel. Using this technique, attackers managed to convince company employees to allow remote access and execute a PowerShell script that deployed Matanbuchus on their systems.
This type of deception isn't new: similar tactics have been employed by groups linked to ransomware operations like Black Basta, where victims are carefully selected and persuaded to run seemingly innocent scripts.
In one such case, a modified Notepad++ installer was used alongside a malicious DLL, camouflaged to go unnoticed, which ultimately activated the loader.
Now, with its new 3.0 version, Matanbuchus is being marketed through much more expensive monthly subscriptions: around $10,000 for the HTTPS version and up to $15,000 for the DNS version, clearly indicating it's a tool aimed at more organized and well-funded groups.
Attack Flow Visualization (Source: Morphisec)
Once Matanbuchus is executed on a system, the first thing it does is collect key environment information. It scans active processes to detect security tools and checks whether it is running with administrative privileges. This step is essential to determine how deeply it can operate within the infected machine.
After the initial reconnaissance, the malware communicates with its command and control (C2) server. From there, it receives new instructions or malicious files—typically in MSI or portable executable formats—that are downloaded to extend the attack's capabilities.
To remain active after system reboots or user logouts, Matanbuchus sets up a scheduled task on the system. While this may seem like a common method, in this case it uses an advanced technique combining COM objects and shellcode injection, making it much harder to detect with conventional security tools.
Read more: How to detect and respond to a ransomware attack with TecnetProtect
This new version operates primarily in memory, avoiding disk writes and making it significantly harder to trace. It also incorporates code obfuscation techniques that complicate both static and dynamic analysis by malware researchers.
Matanbuchus 3.0 includes support for commands like regsvr32, rundll32, and msiexec, as well as reverse CMD and PowerShell shells. This enables it to perform advanced tasks on the compromised system without raising suspicion.
It can also execute WQL (Windows Query Language) to query system information and carry out automated or remote actions that are hard to distinguish from normal user or operating system activity.
Following the current trend among sophisticated malware, this version leverages LOLBins (Living-off-the-Land Binaries)—legitimate Windows binaries used maliciously. Alongside COM object hijacking and PowerShell scripts, these techniques allow it to stay under the radar of many traditional security solutions.
With its ability to execute multiple payload types, evade detection, and maintain silent persistence, Matanbuchus 3.0 ranks among the most dangerous loaders in today’s threat landscape. Moreover, its malware-as-a-service (MaaS) model means even attackers with limited technical skills can use it, expanding its reach and making it accessible to almost anyone in the cybercriminal ecosystem.
Threat analysts are increasingly including it in their attack surface management strategies, as it is becoming common in targeted campaigns that combine initial access, lateral movement, and ransomware deployment.
Against such advanced threats, businesses need cybersecurity solutions that not only detect malware but also prevent file encryption and protect business continuity. Platforms like TecnetProtect offer comprehensive defense, combining secure backups, behavior-based detection, and real-time ransomware protection—helping organizations recover quickly even if the malware breaches initial defenses.
Having a solution like TecnetProtect enables companies not only to respond to incidents but also to proactively guard against common attack vectors, such as loaders like Matanbuchus, and keep their critical infrastructure secure.