The Matanbuchus malware loader has been seen being distributed through social engineering over Microsoft Teams calls impersonating IT helpdesk. Last year, DarkGate malware operators abused Microsoft Teams to deliver their loader onto targets who used lax ‘External Access’ settings. Microsoft Teams has been abused over the past years to breach organizations using social engineering to deliver the first stage malware. The attacker initiates an external Microsoft Teams call, posing as a legitimate IT helpdesk, convincing the target to launch Quick Assist, the remote support tool built into Windows. In June 2022, threat analyst Brad Duncan reported that the malware loader was being used to deliver Cobalt Strike beacons in a large-scale malspam campaign. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. According to Morphisec, operators of the latest Matanbuchus variant, 3.0, also show a preference for Microsoft Teams for initial access. Instead of calling Windows API functions, the malware now executes syscalls via custom shellcode that bypasses Windows API wrappers and EDR hooks, hiding actions that are commonly monitored by security tools. Researchers at Morphisec endpoint threat prevention company found that the latest analyzed version of Matanbuchus includes enhanced evasion, obfuscation, and post-compromise capabilities. In 2023, a researcher created a specialized tool that exploited bugs in the software to allow malware delivery from external accounts. The malware collects details such as username, domain, OS build information, running EDR/AV processes, and the elevation status of its process (admin or regular user).
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 17 Jul 2025 21:30:14 +0000