Attackers Use Microsoft Teams Calls to Deploy Matanbuchus Ransomware

The notorious malware loader Matanbuchus has been increasingly leveraged in highly targeted cyberattacks, with the latest iteration Matanbuchus 3.0 demonstrating heightened sophistication and destructive potential.

In a recent campaign observed in July 2025, attackers exploited Microsoft Teams calls, masquerading as legitimate IT helpdesk representatives to lure employees into launching malicious scripts.

During these calls, Quick Assist was activated under the guise of remote support, leading victims through steps that executed a script designed to download and install the Matanbuchus loader onto their Windows systems.

Evolution of Matanbuchus

The technical delivery chain has evolved significantly. Attackers now distribute a ZIP archive containing a weaponized version of the Notepad++ updater (GUP), a subtly altered configuration XML, and a malicious side-loaded DLL acting as the loader.

Notably, attackers employed cybersquatting to trick users, with the update URL in the config file pointing to a lookalike domain such as “notepad-plus-plu[.]org.”

This social engineering approach combined with legitimate-appearing tools increases the success rate of initial compromise.

Matanbuchus 3.0 brings a wave of improvements. The loader now boasts a revamped communication protocol switching to a 256-bit Salsa20 encryption scheme and incorporates advanced obfuscation and in-memory evasion tactics.

These upgrades make detection and analysis far more difficult. Malicious domains and user agents are now decrypted dynamically within the DLL, and system calls are masked via indirect invocation, further hindering forensic efforts.

Tailored Payload Execution

Once executed, the loader assesses its environment for security controls by scanning for popular endpoint detection and response (EDR) processes such as Windows Defender, CrowdStrike Falcon, and SentinelOne.

It collects a wide array of data user and computer names, Windows OS version, domain membership, and elevation status encrypts it, and sends it home via encrypted HTTP POSTs that masquerade as Skype Desktop traffic on port 443.

Persistence is achieved using an innovative combination of COM objects, shellcode injection, and a Windows scheduled task named “EventLogBackupTask.”

According to Morphisec Report, this task executes the malicious loader at defined intervals, using advanced flags with regsvr32 to evade common endpoint detection rules.

The loader’s ability to spawn or hollow processes, including the legitimate msiexec for process injection, coupled with support for next-stage payloads in EXE, DLL, MSI, or even raw shellcode formats, highlights how attackers can seamlessly chain into ransomware or other dangerous malware.

Remote commands from the command-and-control (C2) server can instruct the loader to execute arbitrary MSI installations, process hollowing, or PowerShell/CMD/WQL commands, furthering lateral movement or data exfiltration.

The trove of collected system and security data allows the attackers to adjust their tactics and select payloads optimized for evading active defenses.

The rise of such highly targeted attacks where attackers combine credible social engineering over legitimate tools like Microsoft Teams with robust malware loaders like Matanbuchus 3.0 signals a paradigm shift in ransomware delivery.

This approach not only improves initial access rates but significantly raises the bar for post-compromise detection and response.

Security vendors like Morphisec urge organizations to augment traditional detection-based tools with proactive, multi-layered solutions.

Techniques like Automated Moving Target Defense (AMTD) can disrupt such threats before execution, closing the window for privilege abuse and payload delivery.

Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates