From a Teams Call to a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up

July 18, 2025, 9:21 a.m.

Description

Matanbuchus 3.0, a malware loader available as Malware-as-a-Service, has evolved with significant updates. It now employs sophisticated techniques including improved communication protocols, in-memory stealth capabilities, enhanced obfuscation, and support for WQL queries, CMD, and PowerShell reverse shells. The loader collects detailed system data, including information on EDR security controls, to tailor subsequent attacks. It can execute various commands through regsvr32, rundll32, msiexec, or process hollowing. The malware establishes persistence through scheduled tasks and registry modifications. Recent campaigns have targeted victims through external Microsoft Teams calls impersonating IT helpdesks, leading to potential ransomware compromises.

External References

https://www.morphisec.com/blog/ransomware-threat-matanbuchus-3-0-maas-levels-up
https://otx.alienvault.com/pulse/687a0d5dc93942c183eddbf5
Tags
ransomware
matanbuchus
microsoft teams
maas
2025-07-18

Date

  • Created: July 18, 2025, 9:01 a.m.
  • Published: July 18, 2025, 9:01 a.m.
  • Modified: July 18, 2025, 9:21 a.m.

Indicators

  • da9585d578f367cd6cd4b0e6821e67ff02eab731ae78593ab69674f649514872
  • 2ee3a202233625cdcdec9f687d74271ac0f9cb5877c96cf08cf1ae88087bec2e
  • 211cea7a5fe12205fee4e72837279409ace663567c5b8c36828a3818aabef456
  • 19fb41244558f3a7d469b79b9d91cd7d321b6c82d1660738256ecf39fe3c8421
  • 0f41536cd9982a5c1d6993fac8cd5eb4e7f8304627f2019a17e1aa283ac3f47c
  • 94.159.113.33
  • notepad-plus-plu.org
  • nicewk.com
  • fixuplink.com
  • emorista.org
  • bretux.com
Download all indicators here!

Attack Patterns

  • Matanbuchus