NEW DELHI, JULY 2025 — Once quietly marketed on Russian-language dark web forums for $2,500, the Matanbuchus malware loader has now returned in a turbocharged version Matanbuchus 3.0 carrying features so advanced that cybersecurity experts warn it may be a defining threat of this year’s cyber landscape.
Described as a “stealth-first” malware loader, Matanbuchus has evolved from simple phishing lures to a full-fledged malware delivery platform capable of deploying ransomware precursors like QakBot, DanaBot, and Cobalt Strike. Initially used in malvertising and malicious MSI installers, it now leverages modern collaboration tools such as Microsoft Teams to launch attacks disguised as routine IT support calls.
In a recent attack disclosed by cybersecurity firm Morphisec, attackers impersonated IT help desk personnel during an external Teams call and tricked employees into launching Quick Assist, allowing remote access. A PowerShell scriptexecuted during the session dropped Matanbuchus, which quietly prepared the system for a second-stage ransomware payload.
What’s New in Matanbuchus 3.0: Obfuscation, Shells, and Side-Loading
The 3.0 version of the loader adds in-memory capabilities, enhanced obfuscation, support for reverse shells via CMD and PowerShell, and advanced COM object hijacking. Once embedded in a system, it gathers host information, checks for admin privileges, and communicates via an encrypted protocol with its Command-and-Control (C2) server, which then delivers additional payloads.
Significantly, Matanbuchus can now execute malicious code using LOLBins (Living-Off-the-Land Binaries) like regsvr32, rundll32, and msiexec—all legitimate system tools that bypass traditional detection. Morphisec’s CTO Michael Gorelik revealed that the malware even mimics Notepad++ updater scripts to mask its presence.
“The attackers used a renamed Notepad++ updater (GUP), a fake XML config, and a malicious side-loaded DLL,” Gorelik said. “It’s technically clever and psychologically manipulative.”
A $10,000 Threat to Every Enterprise Endpoint
Matanbuchus 3.0 isn’t a tool for amateurs. It’s being advertised openly at ₹8,33,000per month for the HTTPS version, and $15,000 for the DNS version, signaling that this loader is being positioned as a premium MaaS tool for elite ransomware affiliates. The high price, experts say, indicates not just sophisticated features but also dedicated support and customization for buyers.
The timing of its emergence also aligns with a disturbing rise in attacks involving social engineering, especially through legitimate work tools like Teams and Zoom. Researchers warn that employees—now used to remote support and hybrid work—can be duped into granting access without hesitation.
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
The Industry Response: Race Against Stealth
Security firms are now racing to improve their attack surface monitoring, with growing interest in malware loader mapping as a core defense strategy. Enterprises are being urged to:
- Educate staff on social engineering through Teams and Quick Assist
- Deploy endpoint monitoring for LOLBin activity
- Isolate PowerShell privileges
- Harden COM objects
- Inspect MSI and DLL side-loading behaviors
