From a Teams Call to a Ransomware Threat Matanbuchus 3.0 MaaS Levels Up

In one of the most recent cases (July 2025), a Morphisec customer was targeted through external Microsoft Teams calls impersonating an IT helpdesk. During this engagement, Quick Assist was activated, and employees were instructed to execute a script that deployed the Matanbuchus Loader.

This blog post presents the details of the recent loader version, focusing on changes from previously known analyses including:

• New delivery technique
• Improved communication protocol techniques
• Added in-memory stealthy capabilities
• Enhanced obfuscation, encryption, and evasion techniques
• WQL query support, CMD and Powershell reverse shell support
• EXE/DLL/MSI/Shellcode next stage execution support
• Indirect system call evasion
• Enriched data collection which includes the latest EDR security controls
• Modified persistency methodology

IOCs from recent campaigns are listed at the end of the blog.

Read the complete article here.