From a Teams Call to a Ransomware Threat Matanbuchus 3.0 MaaS Levels Up
In one of the most recent cases (July 2025), a Morphisec customer was targeted through external Microsoft Teams calls impersonating an IT helpdesk. During this engagement, Quick Assist was activated, and employees were instructed to execute a script that deployed the Matanbuchus Loader.
This blog post presents the details of the recent loader version, focusing on changes from previously known analyses including:
- New delivery technique
- Improved communication protocol techniques
- Added in-memory stealthy capabilities
- Enhanced obfuscation, encryption, and evasion techniques
- WQL query support, CMD and Powershell reverse shell support
- EXE/DLL/MSI/Shellcode next stage execution support
- Indirect system call evasion
- Enriched data collection which includes the latest EDR security controls
- Modified persistency methodology
IOCs from recent campaigns are listed at the end of the blog.
To read the complete article see:
This post is licensed under CC BY 4.0 by the author.