Hackers Use Microsoft Teams to Spread Matanbuchus 3.0 Malware Loader
Threat researchers have uncovered a new wave of cyberattacks using Microsoft Teams as a delivery vector for Matanbuchus 3.0, a stealthy malware-as-a-service (MaaS) tool built for launching ransomware, reverse shells, and secondary malware.
⚠️ What is Matanbuchus?
Originally advertised in 2021 on Russian-speaking underground forums, Matanbuchus is a malware loader—a lightweight program that runs in memory and downloads larger malicious payloads.
It’s been used to deploy:
- QakBot
- DanaBot
- Cobalt Strike beacons
- And precursors to ransomware attacks
Version 3.0, now actively sold for up to $15,000/month, includes:
- In-memory execution
- PowerShell & CMD reverse shell support
- Enhanced obfuscation
- Remote DLL, EXE & shellcode payload loading
- WQL query & COM task scheduling evasion
🧠 Attack Vector: Microsoft Teams
Security researchers from Morphisec observed an attack earlier this month where attackers:
- Initiated fake IT help desk chats over Microsoft Teams
- Tricked users into opening Quick Assist for screen sharing
- Launched a PowerShell script that deployed Matanbuchus
- Executed a malicious DLL using a renamed Notepad++ updater
This method of social engineering mimics previous tactics used by Black Basta ransomware groups.
🛠 How It Works
Once executed:
- Matanbuchus checks for admin privileges
- Scans for security tools and running services
- Sends data to a command-and-control (C2) server
- Awaits further instructions (typically EXE or MSI payloads)
Persistence is achieved by injecting shellcode into COM objects and scheduling hidden tasks—often manipulating ITaskService.
🕵️♂️ Why It Matters
The evolution of Matanbuchus reflects a broader trend:
- Abuse of legitimate system tools (aka LOLBins)
- Collaboration platform attacks (Microsoft Teams, Zoom)
- Weaponization of common user behaviors like IT trust
With Teams now embedded in most enterprise workflows, this attack method blends into normal activity, making detection harder.
🛡️ Defense Tips from Alcaeus Services
- ✅ Disable Quick Assist in environments where it’s not required
- ✅ Train staff to never approve surprise IT remote sessions
- ✅ Enable EDR/XDR solutions with memory scanning
- ✅ Restrict script execution & DLL sideloading in Teams-integrated systems
- ✅ Monitor PowerShell behavior & COM object access
If you’re concerned about stealth loaders or remote access vectors in your environment, contact us today for a tactical vulnerability scan or endpoint hardening plan.
Comments are closed