Matanbuchus 3.0: The Evolved Malware-as-a-Service Evading Detection & Exploiting Microsoft Teams
The latest iteration of the Matanbuchus malware loader, designated version 3.0, has drawn particular scrutiny from cybersecurity experts due to its significant enhancements aimed at evading detection and bypassing modern defensive systems. Originally introduced as a malware-as-a-service offering for $2,500 in February 2021 on underground forums, Matanbuchus has served as a delivery mechanism for a variety of malicious payloads—including Cobalt Strike and ransomware strains.
Since its emergence, Matanbuchus has been widely employed in diverse infection campaigns. These include phishing emails with malicious Google Drive links, drive-by downloads from compromised websites, tainted MSI installers, and even malicious advertisements embedded with exploit code. Through these vectors, Matanbuchus facilitated the deployment of secondary threats such as DanaBot and QakBot, which often act as precursors to ransomware attacks.
With the release of Matanbuchus 3.0, the malware’s capabilities have been significantly elevated. According to cybersecurity firm Morphisec, the latest version introduces an enhanced command-and-control (C2) communication protocol, in-memory code execution, fortified code obfuscation, and support for reverse shells via CMD and PowerShell. The loader is also now capable of deploying additional DLLs, EXEs, and shellcode payloads.
The new version recently surfaced in a real-world incident involving a targeted attack on an undisclosed organization via Microsoft Teams. The attackers impersonated IT support personnel, persuading employees to launch the Quick Assist remote tool and subsequently execute a PowerShell script that installed Matanbuchus. Similar social engineering tactics have previously been linked to the Black Basta ransomware group.
In this instance, the attackers distributed a tampered Notepad++ updater archive containing a modified XML configuration file and a DLL embedding the loader itself—effectively weaponizing a legitimate application update mechanism.
The rental cost for Matanbuchus 3.0 has now surged to $10,000 per month for the HTTPS variant and $15,000 for the DNS version. Upon execution, the malware collects system information, checks for antivirus software and administrative privileges, and transmits the data to its command server. The server then responds by delivering additional payloads, typically in the form of MSI or EXE files.
Persistence within the system is achieved through scheduled tasks. However, instead of relying on standard methods, the loader employs more intricate techniques such as shellcode injection and COM object manipulation. It injects code into processes and executes tasks via exploitation of the ITaskService interface.
Moreover, Matanbuchus 3.0 can remotely enumerate active processes, services, and installed applications. Its support for commands such as regsvr32, rundll32, msiexec, and its use of process hollowing renders it a highly versatile tool in the arsenal of cybercriminals.
Experts warn that this version exemplifies a broader trend toward stealthy loaders that exploit legitimate system components—commonly referred to as LOLBins—alongside COM hijacking and PowerShell-based stagers. These techniques enable prolonged stealth in compromised environments. Notably, attackers are increasingly leveraging corporate communication platforms like Microsoft Teams and Zoom to gain initial access, highlighting a shift in intrusion tactics.
