Matanbuchus 3.0 Levels Up: New Stealthy Malware Loader Exploits Microsoft Teams

Matanbuchus, a well-known malware loader sold as Malware-as-a-Service (MaaS), has just leveled up. In its latest evolution—Matanbuchus 3.0—cybercriminals are pushing the limits of social engineering and technical stealth to infiltrate enterprise systems, starting with something as simple as a Microsoft Teams call.

“Matanbuchus is a malware loader that has been available as a Malware-as-a-Service (MaaS) since 2021. It is primarily used to download and execute secondary payloads on compromised Windows systems,” Morphisec explains in the report.

In one July 2025 incident analyzed by Morphisec, attackers impersonated an IT helpdesk via Teams and convinced employees to run a Quick Assist session. From there, they deployed a script that led to the installation of the Matanbuchus loader—a carefully crafted DLL delivered through a renamed Notepad++ updater.

“Quick Assist was activated, and employees were instructed to execute a script that deployed the Matanbuchus Loader.”

The 3.0 version is more sophisticated than ever:

• In-memory stealth and indirect system calls to evade EDR tools
• Encrypted configuration using Salsa20
• Registry-based persistence and COM task scheduling
• Supports CMD, PowerShell reverse shells, and WQL queries
• Dynamic DLL resolution using MurmurHash3
• Payload delivery using impersonated Skype user-agents

“Over the past nine months, Matanbuchus has been used in highly targeted campaigns that have potentially led to ransomware compromises,” the report states.

Morphisec found that attackers abused a fake domain—notepad-plus-plu[.]org—to host malicious payloads. A renamed Notepad++ updater (GenericUpdater.exe) was used to sideload a poisoned libcurl.dll, delivering the Matanbuchus loader.

Once deployed, Matanbuchus 3.0 collects extensive system telemetry, including:

• Operating system version
• Logged-in username and domain
• Installed security products (like CrowdStrike, SentinelOne, or BitDefender)
• Elevated privileges
• Installed applications, services, hotfixes

This information is encrypted and sent back to its C2 server impersonating Skype traffic.

The malware uses advanced persistence methods, creating a scheduled task via COM shellcode. It registers the loader DLL to run every 5 minutes silently using: regsvr32 -e -n -i:”user” <dll_path>.

Depending on system defenses, Matanbuchus 3.0 supports:

• MSI installers
• Process hollowing using msiexec
• DLL execution via rundll32
• Direct CMD or PowerShell commands
• Information gathering using WMI and Registry queries

With its stealthy delivery, tailored attack logic, and seamless C2 communication, it poses a high risk to organizations—especially when initiated through trusted tools like Teams.

Related Posts:

• Malicious Go Packages Target Developers with Hidden Loader Malware on Linux and macOS
• Stealthy Attacks: Silent Werewolf Deploys Custom Loaders in Espionage Operations
• C&C in the Clouds: OilRig Group Hijacks Microsoft Services for Espionage
• FOG Ransomware Campaign Targets Multiple Sectors with Phishing and Payload Obfuscation
• SocGholish Reloaded: Darktrace Uncovers Ransomware-Primed Loader Campaign