During these fraudulent support sessions, attackers activate Quick Assist and instruct victims to run PowerShell commands that ultimately deploy the Matanbuchus 3.0 loader, marking a significant evolution in the malware’s delivery mechanisms. The latest version introduces advanced capabilities including improved communication protocols, enhanced obfuscation techniques, and comprehensive system reconnaissance features that enable attackers to tailor subsequent attacks based on the victim’s security infrastructure. The combination of social engineering through Teams calls and the technical sophistication of Matanbuchus 3.0 creates a formidable threat that can bypass traditional security awareness training and technical controls. A sophisticated cyberattack campaign has emerged in July 2025, weaponizing Microsoft Teams calls to deploy the latest iteration of Matanbuchus ransomware. The malware functions as a sophisticated loader primarily designed to download and execute secondary payloads on compromised Windows systems, serving as a critical entry point for various cyberattacks that frequently culminate in ransomware deployment. The attack begins with adversaries impersonating IT helpdesk personnel through external Teams calls, leveraging social engineering tactics to convince employees to execute malicious scripts. This campaign demonstrates the evolving landscape of ransomware delivery mechanisms, where traditional email-based phishing attacks are supplemented by direct voice communication through trusted platforms. The attackers’ use of Quick Assist, a legitimate Microsoft remote assistance tool, further legitimizes their presence on victim systems while providing the necessary access to deploy their malicious payloads. The loader uses the user agent string Skype/8.69.0.77 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 to blend with normal network traffic while communicating with the C2 server at nicewk[.]com over port 443. Upon successful initial infection, the malware creates a scheduled task named “EventLogBackupTask” that executes every five minutes, ensuring continuous system presence and command-and-control communication. The researchers noted that the interception occurred prior to the malware’s public release, suggesting that adversaries were distributing the HTTP loader within trusted circles or utilizing it in their own operations. Victims receive seemingly authentic IT support calls through Microsoft Teams, creating an environment of trust that facilitates the execution of malicious instructions. The Matanbuchus 3.0 loader employs a sophisticated persistence mechanism that leverages Windows Task Scheduler through COM manipulation and shellcode execution. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Morphisec analysts identified this campaign during active monitoring of their customer environments, intercepting the HTTP variant of Matanbuchus 3.0 before its public advertisement on underground forums. The malware’s command-and-control communication demonstrates advanced evasion techniques by impersonating legitimate Skype desktop traffic. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The attack methodology represents a concerning shift toward leveraging legitimate business communication platforms for malicious purposes. This technique is particularly evasive as the -e parameter executes silently while suppressing errors, the -n parameter allows the loader to run without modifying the registry, and the -i:"user" parameter automatically triggers the exported DllInstall function. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 16 Jul 2025 18:40:19 +0000