Beware: Matanbuchus 3.0 Malware Spreads via Microsoft Teams Calls

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 19, 2025 2 min read

Malware Deployment via Microsoft Teams

The Matanbuchus malware loader has recently emerged as a significant threat, utilizing Microsoft Teams as a delivery method. Attackers impersonate IT helpdesk personnel to lure victims into executing malicious scripts, leading to the installation of the malware on their systems. This method has proven effective due to the legitimacy and familiarity of Teams in corporate environments, increasing the likelihood of success in targeted attacks.

Matanbuchus Ransomware
Image courtesy of BetaNews

Technical Details of Matanbuchus 3.0

Matanbuchus 3.0 has evolved considerably since its inception, now incorporating advanced techniques for delivery and execution. The malware is distributed through a ZIP archive that contains a renamed Notepad++ updater, a modified configuration XML file, and a malicious side-loaded DLL acting as the loader. Once installed, Matanbuchus retrieves its instructions from a command-and-control (C2) server, enabling it to execute further attacks, including ransomware deployment.

According to Morphisec, the malware loader now employs a 256-bit Salsa20 encryption scheme for communication, making detection more difficult. Additionally, it uses advanced obfuscation techniques and in-memory evasion tactics to avoid traditional security measures.

For a comprehensive technical analysis, refer to the Morphisec report.

Attack Vector and Social Engineering

The attackers specifically choose their victims, reaching out via Microsoft Teams under the pretense of resolving a technical issue. This targeted approach improves the chances of success as victims are more likely to comply with requests for remote access. Once remote access is granted, attackers use Quick Assist to guide users through executing the PowerShell script that deploys Matanbuchus.

Matanbuchus Malware
Image courtesy of Morphisec

Indicators of Compromise (IOCs)

Organizations should be aware of several IOCs associated with Matanbuchus 3.0. These include:

  • Hash/URL: 94.159.113[.]33 – fixuplink[.]com (Malicious C2 infrastructure)
  • Malicious update location: notepad-plus-plu[.]org
  • Scheduled Task Name: EventLogBackupTask

For a detailed list of IOCs, refer to the original analysis here.

Recommendations for Mitigation

To defend against threats like Matanbuchus, organizations are encouraged to adopt proactive security measures. Gopher Security’s AI-Powered Zero Trust Platform can help mitigate risks by ensuring robust access control and real-time monitoring of network traffic. Our platform integrates advanced AI authentication and micro-segmentation to create a secure environment across various endpoints and cloud services.

Explore how Gopher Security can enhance your cybersecurity posture by visiting our website.

Conclusion

Matanbuchus 3.0 represents a sophisticated evolution in malware deployment, relying on social engineering and advanced technical measures. By understanding the tactics employed and implementing comprehensive security solutions, organizations can better protect themselves against such targeted attacks. For more information on securing your environment, contact Gopher Security today.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article