Matanbuchus
Matanbuchus is a Windows malware loader sold as Malware-as-a-Service (MaaS), written in C++, and advertised on underground forums since February 2021 by the developer BelialDemon. It is primarily used to download and execute second-stage payloads on victim systems. Reported follow-on payloads include Cobalt Strike, Qbot/QakBot, Rhadamanthys, NetSupport RAT, and in more recent campaigns AstarionRAT. Multiple sources describe it as a premium loader with pricing ranging from about $2,500 per month for early versions to $10,000 per month for the HTTPS variant and $15,000 per month for the DNS variant of version 3.0.
Earlier reporting describes Matanbuchus as a two-stage DLL-based loader. The first stage performs environment and anti-analysis checks before loading the second stage. The second stage gathers host reconnaissance including domain, computer name, privilege level, process path, CPU and architecture details, RAM, DNS domain, and MAC address, then sends encrypted reconnaissance to command-and-control infrastructure. Documented command-and-control formats include RC4-encrypted, base64-encoded JSON in older variants and Protobuf-serialized traffic over HTTP(S) in newer variants. The malware supports a broad command set including execution of EXEs, DLLs, MSI packages, CMD and PowerShell commands, in-memory PE loading, self-update, uninstall, sleep, WMI execution, and inventory collection. Persistence has been observed via scheduled tasks, including a task named "Update Tracker Task" invoking msiexec with the uncommon -z flag.
Observed infection vectors include phishing and spear-phishing, malicious Microsoft Office macros in earlier campaigns, HTML smuggling attachments delivering ZIP archives and MSI installers, ClickFix social-engineering lures that trick users into running msiexec or PowerShell commands, and Microsoft Teams/Quick Assist-based social engineering. In one documented 2022 spam campaign, an HTML smuggling attachment masqueraded as a OneDrive-hosted scanned document and dropped an MSI signed with a revoked Westeast Tech Consulting, Corp. certificate. That MSI created C:\Users\username\AppData\Local\AdobeFontPack, dropped main.dll and notify.vbs, displayed a fake Adobe Font Pack installation/error message, and executed the DLL via regsvr32.exe using Squiblydoo-style tradecraft. The DLL used anti-debugging APIs such as IsDebuggerPresent and QueryPerformanceCounter, custom XOR-based decryption, and attempted to retrieve a Cobalt Strike Beacon from hardcoded C2 URLs including telemetrysystemcollection.com and collectiontelemetrysystem.com.
Version 3.0, observed in the wild in July 2025 and active through at least February 2026, is described as a complete rewrite. Reported capabilities include Protobuf-over-HTTPS C2, ChaCha20 encryption, MurmurHash3-based API resolution, Heaven's Gate WoW64 bypass, busy-loop sandbox evasion, hardcoded expiration dates, and enumeration of more than 70 EDR products with reporting of the victim security stack to the C2 before payload selection. It supports delivery of EXE, DLL, MSI, shellcode, PowerShell, CMD, and WMI payloads. Recent intrusion chains used dual DLL sideloading stages: first, a legitimate Zillya AVCore.exe/core.exe loading a malicious SystemStatus.dll from fake vendor-themed %APPDATA% directories such as AegisLynx Cybernetics Ltd, DocuRay Technologies S.r.l, and HelixShield Technologies ApS; second, a legitimate java.exe loading a malicious jli.dll and an encrypted Lua script (SySUpd) from a Temp directory. The malicious jli.dll was reported to unhook kernel32.dll and ntdll.dll using clean copies from \KnownDlls, initialize an embedded Lua 5.4.7 interpreter, decrypt the companion Lua script with a rolling XOR key, and execute shellcode from memory via a custom reflective loader.
Recent campaigns and reporting link Matanbuchus to ransomware-oriented and hands-on-keyboard intrusions. Huntress documented a February 2026 ClickFix intrusion in which Matanbuchus 3.0 led to deployment of AstarionRAT, followed by PsExec lateral movement, rogue account creation, and Microsoft Defender exclusion changes, with analysts assessing ransomware deployment or data exfiltration as likely objectives. ThreatLabz separately described Quick Assist-assisted delivery of a malicious MSI from gpa-cro.com, HRUpdate.exe sideloading a malicious DLL downloader, and retrieval of the main module from mechiraz.com. Mandiant reporting cited UNC4487 compromising Ukrainian government-related websites to socially engineer targets into executing Matanbuchus or CHILLYHELL, and another reference linked delivery to a Ukrainian auto insurance website. Additional reporting associated Matanbuchus use with Conti-linked activity and with a Fortgale-tracked February 2026 intrusion dubbed "FortiSync Quasar" involving Matanbuchus 3.0, Astarion RAT, and SystemBC.
High-confidence indicators mentioned in the content include hashes from the 2022 campaign such as HTML SHA256 e3b98dac9c4c57a046c50ce530c79855c9fe4025a9902d0f45b0fb0394409730, MSI SHA256 5dcbffef867b44bbb828cfb4a21c9fb1fa3404b4d8b6f4e8118c62addbf859da, and DLL SHA256 8833f28dc0cadd4b3c5676981b2a76e1c0683f2e2b8e3dac8270622c12e032ef; older C2 IPs 193.56.146.60, 193.56.146.61, 193.56.146.62, and 193.56.146.65 with gate /GtHODfM/qilZw/YjtK.php; domains telemetrysystemcollection.com and collectiontelemetrysystem.com; and version 3.0-related URLs hxxps://marle.io/check/updprofile.aspx and hxxps://mechiraz.com/cart/checkout/files/update_info.aspx. Infrastructure likely associated with Matanbuchus hosting also included treasurybanks.org, myfundsrecovery.org, maxrecovery.org, deptoftreasury.org, and usdatarecovery.org.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Matanbuchus, offered as part of malware-as-a-service, has been available on underground forums for a rental price of $2500 since February 2021. Recently, the CYFIRMA research team observed this malware reappear through spam campaigns.
According to threat intelligence shared by Google Mandiant, UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.
The campaign, internally dubbed "FortiSync Quasar," revealed an evolution from ransomware operations to strategic espionage, deploying Matanbuchus 3.0, Astarion RAT, and SystemBC.
“uses ClickFix techniques to deliver CastleLoader and Matanbuchus”
Techniques & procedures
37 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesIn this blog we will identify 6 malicious domains that are likely hosting MatanBuchus malware... Unit42 shared details of a treasurybanks[.]org domain used in malicious ads targeting users looking for funds recovery services.
Unit42 shared details of a treasurybanks[.]org domain used in malicious ads targeting users looking for funds recovery services.
Initial Access
4 techniquesUNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.
Threat actors deliver this malicious Html file to the user through spear-phishing techniques such as the scanned document attached to the email.
Tertiary: Phishing email - traditional attachment/link delivery (historical, less common in v3.0 campaigns).
Secondary: Microsoft Teams vishing - attacker calls via Teams impersonating IT helpdesk, convinces user to open Quick Assist, then instructs them to execute a script that downloads the loader MSI.
Execution
8 techniquesThe initial loader creates a working folder, where it downloads and saves the first-stage binary to use it as persistence to be run by the scheduled task... The loader doesn’t delete the scheduled task that can indicate infection by Matanbuchus.
The loader can also run a PS command using the same technique. It creates an instance of powershell.exe with the attacker’s command line.
The loader can also act like a bot and run CMD commands... creates an instance of cmd.exe with the extracted command line, e.g., C:\\Windows\\System32\\cmd.exe /c <cmd_from_c2>.
This malware sample was written in a combination of Html and JavaScript language... the Threat actor embedded the malicious zip file in the JavaScript in base64 format.
"walking the Process Environment Block to locate ntdll.dll and resolve four native API functions by hash"; "All API access is routed through an internal hash dispatch function"
The executed routine will be one of the exported functions of the DLL... each command will load the DLL to memory and run another exported function of the downloaded payload, DllRegisterServer or DllInstall.
UNC4487 is a suspected espionage actor that has been observed compromising the websites of Ukrainian government entities to redirect and socially engineer targets to execute Matanbuchus or CHILLYHELL malware.
Once the user clicks that attached file, this Html drops the zip file in the Downloader folder... Upon execution of this MSI file, it shows the fake Adobe error message to the user while dropping the malicious dll file in the background.
Persistence
2 techniquesThe initial loader creates a working folder, where it downloads and saves the first-stage binary to use it as persistence to be run by the scheduled task... The loader doesn’t delete the scheduled task that can indicate infection by Matanbuchus.
Created rogue domain accounts ... net user <rogue_account> <password> /add /domain
Privilege Escalation
2 techniquesThe initial loader creates a working folder, where it downloads and saves the first-stage binary to use it as persistence to be run by the scheduled task... The loader doesn’t delete the scheduled task that can indicate infection by Matanbuchus.
Matanbuchus downloads the payload and calls ShellExecuteExA... sets the lpVerb member to runas. This method will execute a given process with admin privileges.
Stealth
9 techniquesThe second stage is also obfuscated. Here, the strings are encrypted and obfuscated using different techniques of stack strings, and they are dynamically decrypted... most of the API calls are obfuscated... resolved dynamically... comparing the function names to the given fnv1a hash.
"...drops a legitimate but vulnerable Zillya Antivirus binary alongside a malicious DLL into deceptive directories mimicking fake vendors like “AegisLynx” or “DocuRay”."
After extraction, the dropped zip file is found to contain an MSI installer file... Upon execution of this MSI file... In the background, the MSI file creates the AdobeFontPack folder... followed by dropping two files – dll[main.dll] file and vbs[notify.vbs] file.
This MSI file loads this malicious dll file[ main.dll] through regsvr32.exe with arguments being -n -i “install”.
The loader executes DLLs by using the classic binary, Rundll32.exe... uses CreateProcessA to run rundll32.exe, which will run the final payload.
If this path exists, the malware will exit, which might be quite an odd check. We assume that this check tends to be an anti-sandbox trick for known and popular online sandbox services like Any.Run.
This dll having anti-debugging capabilty ,this dll file is checking presences for any debugger by calling APIs such as IsProcessorFeaturePresent(),IsDebuggerPresent(), QueryPerformanceCounter().
This dll having anti-debugging capabilty ,this dll file is checking presences for any debugger by calling APIs such as IsProcessorFeaturePresent(),IsDebuggerPresent(), QueryPerformanceCounter().
Run PE within memory... saves the binary only within memory... creates a new thread that runs the MemLoad function... loads it into memory, relocates it to a proper address, and then executes it from the entry point of the PE file.
Discovery
8 techniquesThe last part of the victim’s reconnaissance is to get the computer’s MAC address... calling... GetAdaptersInfo... holds the MAC address... The loader gets the name of the DNS domain of the local machine... reads the victim logon server’s name.
The loader first retrieves the network domain name associated with the victim user by calling ExpandEnvironmentStringsA with the environment variable of %USERDOMAIN%.
Matanbuchus uses a known technique to check whether the running process is running with administrator privileges... calls CheckTokenMembership with the created SID of the administrator group.
The loader gathers information about the compromised machine to send to the C2 server... retrieves the network domain name... computer name... checks the privileges... gets the full path of the process... collects basic CPU information... checks if the machine architecture is 32-bit or 64-bit... gets the number of processors... reads the victim logon server’s name... gets the RAM size... gets the name of the DNS domain of the local machine.
If this path exists, the malware will exit, which might be quite an odd check. We assume that this check tends to be an anti-sandbox trick for known and popular online sandbox services like Any.Run.
This dll having anti-debugging capabilty ,this dll file is checking presences for any debugger by calling APIs such as IsProcessorFeaturePresent(),IsDebuggerPresent(), QueryPerformanceCounter().
This dll having anti-debugging capabilty ,this dll file is checking presences for any debugger by calling APIs such as IsProcessorFeaturePresent(),IsDebuggerPresent(), QueryPerformanceCounter().
Step 5 - C2 Registration + EDR Enumeration T1071.001, T1518.001 | Malware Main module registers with C2 via Protobuf-over-HTTPS ... Transmits: hostname, username, Windows version, domain, installed EDR products
Lateral Movement
2 techniquesStep 8 - Lateral Movement (Operator) T1021.002, T1570 | Operator Next-day return. PsExec to Windows Server → DC1 → DC2 in ~40 minutes.
Step 8 - Lateral Movement (Operator) T1021.002, T1570 | Operator Next-day return. PsExec to Windows Server → DC1 → DC2 in ~40 minutes.
Command and Control
4 techniquesThe data sent to the C2 server is a base64 string of JSON data... JSON values are encrypted and then encoded with base64... The value for each key is encrypted with RC4 encryption and later encoded with base64.
This malicious dll file is establishing a connection to the C&C server for download and trying to download another malware which is Cobalt Strike beacon payload.
Matanbuchus mainly downloads and executes different payloads like Qbot and Cobalt Strike beacons... It downloads the attacker’s payload from the given URL, saves it to the disk and executes it... the loader can download the attacker’s payload from any remote server like free hosting services.
The Threat actor embedded the malicious zip file in the JavaScript in base64 format... Threat actors use a customized decryption method to decrypt the malicious code... using a combination of two key pairs to generate one XOR key for decrypting the encrypted contents.
Other
1 techniqueIOCs tracked for this family
185 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A premium C++ malware loader sold as MaaS that performs adaptive payload delivery by enumerating installed EDR products, reporting them to C2, and allowing operators to choose execution methods accordingly. It supports multiple payload formats, uses Protobuf-over-HTTPS with ChaCha20 encryption, employs Heaven's Gate and DLL sideloading for evasion, and has delivered RATs, stealers, Cobalt Strike, and unspecified ransomware.
Loader used in a related ClickFix campaign to deliver MIMICRAT.
Malware-as-a-service loader delivered via ClickFix campaigns; used as a foothold to rapidly progress to lateral movement and domain controller access, with the stated objective to deploy ransomware or exfiltrate data.
A premium MaaS loader used for high-value targeted intrusions. In this campaign it is delivered via the ClickFix social-engineering technique (users tricked into running PowerShell/Run commands), then uses an msiexec-based chain with DLL sideloading (via a legitimate but vulnerable Zillya Antivirus binary) and staged extraction/decryption to ultimately execute the next-stage payload in memory.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.