BelialDemon

BelialDemon is the threat actor name associated in the provided reporting with Matanbuchus, a Malware-as-a-Service loader first advertised on Russian-speaking cybercrime forums in February 2021. The content identifies BelialDemon as the actor behind Matanbuchus advertising and notes CYFIRMA attributed a 2022 Matanbuchus spam and spear-phishing campaign to BelialDemon. In the reported 2022 activity, the infection chain used phishing or spear-phishing emails carrying a malicious HTML attachment that performed HTML smuggling to drop a ZIP archive containing an MSI installer. The lure impersonated a OneDrive-hosted scanned document. The MSI was signed with a revoked certificate, displayed a fake Adobe Font Pack installation and error message, dropped a DLL and VBS script into the victim AppData path, and executed the DLL via regsvr32.exe in Squiblydoo-style fashion. The Matanbuchus DLL used anti-debugging checks, custom XOR-based decryption, and attempted to contact multiple command-and-control URLs to retrieve an additional payload identified by CYFIRMA as Cobalt Strike Beacon. The content also states that Matanbuchus has been used to deliver follow-on payloads including Cobalt Strike, QakBot, DanaBot, Rhadamanthys stealer, and NetSupport RAT. Huntress describes Matanbuchus 3.0 as a complete rewrite with higher-priced HTTPS and DNS variants, anti-analysis protections including junk code and dead loops, ChaCha20-encrypted strings and shellcode handling, process enumeration for security-product discovery, and the ability to run multiple payload formats from disk or memory. In a 2026 intrusion discussed in the content, Matanbuchus 3.0 was delivered via ClickFix social engineering and ultimately deployed a custom implant Huntress named AstarionRAT; the intrusion included rapid lateral movement with PsExec, rogue account creation, and Microsoft Defender exclusion staging. Aliases directly supported by the content: belialdemon.