Matanbuchus 3.0 Campaign Exploits Quick Assist and Teams for Initial Access
Threat Group: ShadowSyndicate
Threat Type: Malware Loader / Malware-as-a-Service (MaaS)
Exploited Vulnerabilities: Social engineering of Microsoft Teams and Quick Assist trust
Malware Used: Matanbuchus 3.0
Threat Score: ⛔ High (7.5/10) – Due to its advanced evasion capabilities, stealthy deployment, abuse of collaboration tools, and targeting of high-value enterprise environments.
Last Threat Observation: July 19, 2025
Overview
Matanbuchus 3.0 is the latest iteration of a sophisticated Malware-as-a-Service (MaaS) loader designed to deploy second-stage payloads including Cobalt Strike, ransomware, and other malware strains. Unlike prior versions, Matanbuchus 3.0 is sold in subscription tiers (Ⓒ $10,000/month for HTTP variant, Ⓒ $15,000/month for DNS variant), reflecting significant advancements in stealth, persistence, and evasion. First publicly advertised on cybercrime forums in early July 2025, it was already being used in attacks by mid-month.
Recent campaigns observed between July 16–17 leveraged external Microsoft Teams calls to impersonate IT support and trick employees into launching Quick Assist sessions, through which malicious PowerShell scripts were run to download Matanbuchus. The loader operates almost entirely in-memory, employs advanced encryption and obfuscation techniques, and is engineered to evade detection by behavioural and signature-based defences. Its pricing, capabilities, and distribution model indicate targeting of enterprise environments by highly resourced threat actors.
Key Details
Delivery Method: Social engineering via Microsoft Teams and Quick Assist
Target: High-value enterprise organisations with remote collaboration tools
Functions:
- Advanced initial access via live social engineering
- In-memory, fileless execution
- DLL side-loading using legitimate software
- Stealthy Command and Control (HTTPS & DNS)
- Support for multiple payload types (EXE, DLL, MSI, shellcode)
Obfuscation:
- Uses Salsa20 encryption for C2 domains
- MurmurHash3 for API resolution
- Direct syscalls to bypass EDR API hooks
- Anti-sandbox, locale-aware execution filters
Attack Vectors
Matanbuchus 3.0 exploits the trust inherent in internal IT and collaboration platforms. It begins with an unsolicited Microsoft Teams call appearing to come from internal support. Once trust is established, attackers request Quick Assist access and guide the user to execute a malicious PowerShell command. The payload is downloaded within a ZIP archive containing a renamed updater executable, a malicious DLL, and a configuration file that redirects to a cybersquatted domain. DLL side-loading is then used to execute the malware, which proceeds to establish C2 and enable further attack stages.
This campaign is distinguished by its real-time human interaction, which is far more convincing than conventional email phishing. The attackers leverage authority, urgency, and technical jargon to socially engineer their targets into compliance. The choice of Microsoft Teams, a widely trusted internal tool, allows the attackers to blend in with routine communications, bypassing traditional perimeter defences. Furthermore, Quick Assist enables attackers to bypass endpoint protections by executing scripts under the context of the user. This shift from passive to active engagement by threat actors represents a significant escalation in social engineering tactics and requires organisations to elevate their user verification protocols and awareness training accordingly.
Known Indicators of Compromise (IoCs)
MD5 Hashes
- 6847aa8ea6a8b7eb11d3c139ef0ea898
- 6ea9ef63b75a79f0be704ea1b4e51bcb
- a54fd38b7c6e421a7a0c68e763b69fcb
- a86c153cfb39fc0bbaf573acaef27f93
SHA1 Hashes
- 15e5f79a70d9fc6c92931211a09101d892e7cf93
- 1ff08496b459903acaf475ad39d0387e44b4d721
- 6cc7d7e83200f90ed53e01afc1d0305579ef538e
- df8e256d04ca10e52ce21f021f032fd182615f68
SHA256 Hashes
- 0f41536cd9982a5c1d6993fac8cd5eb4e7f8304627f2019a17e1aa283ac3f47c
- 19fb41244558f3a7d469b79b9d91cd7d321b6c82d1660738256ecf39fe3c8421
- 211cea7a5fe12205fee4e72837279409ace663567c5b8c36828a3818aabef456
- 2ee3a202233625cdcdec9f687d74271ac0f9cb5877c96cf08cf1ae88087bec2e
- da9585d578f367cd6cd4b0e6821e67ff02eab731ae78593ab69674f649514872
IP Addresses (Defanged)
- 94[.]159[.]113[.]33
Domains (Defanged)
- bretux[.]com
- emorista[.]org
- fixuplink[.]com
- nicewk[.]com
- notepad-plus-plu[.]org
YARA Rule (with hash module)
import "hash"
rule RansomWin32Nobig_Indicators
{
meta:
description = "Detects known RansomWin32Nobig file hashes"
author = "CyberSec Sentinel"
date = "2025-07-19"
version = "1.2"
condition:
let file_region = 0..filesize in (
hash.md5(file_region) == "6847aa8ea6a8b7eb11d3c139ef0ea898" or
hash.md5(file_region) == "6ea9ef63b75a79f0be704ea1b4e51bcb" or
hash.md5(file_region) == "a54fd38b7c6e421a7a0c68e763b69fcb" or
hash.md5(file_region) == "a86c153cfb39fc0bbaf573acaef27f93" or
hash.sha1(file_region) == "15e5f79a70d9fc6c92931211a09101d892e7cf93" or
hash.sha1(file_region) == "1ff08496b459903acaf475ad39d0387e44b4d721" or
hash.sha1(file_region) == "6cc7d7e83200f90ed53e01afc1d0305579ef538e" or
hash.sha1(file_region) == "df8e256d04ca10e52ce21f021f032fd182615f68" or
hash.sha256(file_region) == "0f41536cd9982a5c1d6993fac8cd5eb4e7f8304627f2019a17e1aa283ac3f47c" or
hash.sha256(file_region) == "19fb41244558f3a7d469b79b9d91cd7d321b6c82d1660738256ecf39fe3c8421" or
hash.sha256(file_region) == "211cea7a5fe12205fee4e72837279409ace663567c5b8c36828a3818aabef456" or
hash.sha256(file_region) == "2ee3a202233625cdcdec9f687d74271ac0f9cb5877c96cf08cf1ae88087bec2e" or
hash.sha256(file_region) == "da9585d578f367cd6cd4b0e6821e67ff02eab731ae78593ab69674f649514872"
)
}
Mitigation and Prevention
User Awareness: Conduct training simulations around impersonation via Teams. Reinforce IT support protocols that prevent random remote access sessions. Promote out-of-band verification procedures.
Email and Collaboration Filtering: Use Teams federation policies to restrict external calls to approved domains. Remove or restrict Quick Assist via Intune or PowerShell. Block suspicious domains at DNS layer.
Endpoint Protection: Ensure EDR tools are configured to detect in-memory injections, syscall anomalies, COM object abuse, and LOLBIN usage. Focus on behavioural baselines.
Network Controls: Monitor for encrypted C2 traffic with Skype user-agent strings. Use SSL inspection or encrypted traffic analytics to identify anomalies. Implement DNS sinkholes.
Patching and Inventory: Patch collaboration and RDP tools promptly. Maintain an up-to-date software inventory and restrict unnecessary remote admin tools.
Risk Assessment
Threat Score: ⛔ High (7.5/10)
The threat warrants urgent attention due to:
- Abuse of trusted internal tools (Teams, Quick Assist)
- Fileless, stealth-based operation
- Highly targeted nature and pre-sale access by advanced actors
- DNS-based C2 channel with strong obfuscation and user-agent spoofing
Conclusion
Matanbuchus 3.0 epitomises the modern threat actor's shift toward high-end, human-centric delivery mechanisms paired with deep system evasions. Its presence in the MaaS ecosystem signals the continuing commoditisation of advanced tactics, lowering the bar for impactful intrusions. Enterprises must proactively implement layered detection, advanced behavioural analytics, and human-focused security education.
Sources:
- Morphisec - From a Teams Call to a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up
- The Hacker News - Hackers Leverage Microsoft Teams to Spread Matanbuchus 3.0 Malware to Targeted Firms
- SC Media - Microsoft Teams phishing spreads updated Matanbuchus malware loader
- Dark Reading - Elite 'Matanbuchus 3.0' Loader Spruces Up Ransomware Infections
- OTX AlienVault - Indicators Of Compromise