Phishing via Microsoft Teams is being used to spread a new version of the Matanbuchus malware loader, Morphisec reported Wednesday.
Matanbuchus 3.0 is a complete rewrite of the original Matanbuchus malware-as-a-service (MaaS) that has been available since 2021, according to an advertisement for loader found on a cybercrime forum on July 7, 2025.
Morphisec observed this newer version even prior to the publication of the advertisement, suggesting it was already circulating among trusted cybercriminal circles for some time. In one July 2025 case, a Morphisec customer was subjected to phishing via a Teams call, leading to Matanbuchus infection.
Matanbuchus 3.0 attack chain and new capabilities
In an external Teams call, an attacker impersonated IT staff to trick an employee into initiating a Quick Assist remote desktop session and executing a PowerShell script that downloaded a ZIP archive.
The archive contained the Notepad++ updater (renamed to GenericUpdater.exe), an XML configuration file and a DLL (libcurl.dll) containing the Matanbuchus loader. The DLL is sideloaded via execution of the benign Notepad++ updater.
While previous versions of Matanbuchus used a similar Notepad++ updater sideloading method, the attacks started with a download of an MSI installer rather than the ZIP archive found in this recent attack.
The configuration file is similar to a legitimate Notepad++ config file but uses a typosquatted domain notepad-plus-plu[.]org rater than the legitimate notepad-plus-plus[.]org domain. Morphisec’s investigation revealed multiple downloads from this domain dating back to September 2024.
Matanbuchus 3.0 primarily uses
living-off-the-land (LOTL) techniques to stealthily retrieve system data and establish persistence and access for installation and execution of future malicious payloads. An exported DLLInstall function is triggered using regsvr32 to kick off the attack chain.
A list of Windows API functions is dynamically resolved using MurmurHash3 to hash function names and match them to a list of hardcoded hashes; previous versions of Matanbuchus used the fnv1a algorithm for the resolution process.
Rather than calling these API functions directly, the malware uses custom shellcode to extract and indirectly execute syscall numbers, making it more difficult to detect suspicious API actions.
Matanbuchus attempts to detect sandboxes by using IsWow64Process, which can identify 32-bit processes running under Wow64 on 64-bit systems, a potential sign of a sandbox environment. It also checks the system’s default user interface (UI) language and aborts if the language is Russian, Belarusian, Armenian, Azerbaijani or Kazakh.
A serial ID that is used for mutex naming, COM persistency and file directory names is generated by using ExpandEnvironmentStringsW to expand the %HOMEDRIVE% path and then using GetVolumeInformation to retrieve the lpVolumeSerialNumber. This 32-bit serial number is concatenated as a string with another version of the same serial number bit-shifted right by two to create the new serial ID.
Persistence is established by creating a registry key at the path HKCU\SOFTWARE\<NewSerialID> and also by copying the loader DLL to a persistent path within the APPDATA directory, in a folder that uses the new serial ID as its name. The malware uses shellcode to stealthily interact with ITaskService and schedule a task that silently executes the loader every five minutes using regsvr32.
Matanbuchus communicates with the command-and-control (C2) domain nicewk[.]com, which is encrypted using Salsa20, where previous versions used RC4 to encrypt the C2 domain. When communicating with the C2, it impersonates the Skype desktop application in an attempt to blend in with normal traffic.
The new version of Matanbuchus allows for C2 communication over HTTP, where the previous version only allowed for DNS communication. The HTTP version costs purchasers $10,000 per month while the DNS versions costs $15,000 per month.
The loader sends system information including username, system name and OS version back to the C2 server; Matanbuchus 3.0 also collects a list of security services on the victim’s machine and relays them back to the C2, which likely affects the subsequent execution methods used, said Morphisec.
The new version of Matanbuchus supports EXE, DLL, MSI and Shellcode for next stage execution. It also supports WQL queries, direct commands (CMD) and PowerShell reverse shells. The malware uses msiexec process hollowing for stealthy MSI execution.
While Morphisec did not identify a specific ransomware attack tied to this new loader, it emphasizes that its improved stealthy, communication methods and execution support could set the stage for subsequent ransomware deployment.
