New Matanbuchus 3.0 Malware Tool Helps Hackers Install Ransomware Silently

A dangerous new malware loader called Matanbuchus 3.0 has just been discovered in the wild. This upgraded version is being used to silently install ransomware and other harmful tools on systems. It’s not just a tweak, the loader has been completely rewritten from scratch, making it more powerful, more stealthy, and harder to detect.

Matanbuchus has been around since 2021, offered as a malware-as-a-service (MaaS) tool on underground forums. But version 3.0 is the biggest upgrade yet. According to cybersecurity researchers at Morphisec, the new variant has advanced features designed for attackers who want precision and control in targeted attacks.

One recent real-world case showed how Matanbuchus 3.0 is used in a social engineering scheme. Attackers pretended to call a victim through Microsoft Teams, tricking them into opening Quick Assist, Microsoft’s remote support app. From there, they executed a PowerShell script that downloaded a ZIP file containing the loader hidden inside a fake Notepad++ updater.

The loader, once activated, can now support multiple payload formats such as EXE, DLL, MSI, and even raw shellcode. It can execute the malware using command shells, WMI (Windows Management Instrumentation), or PowerShell. This flexibility allows attackers to tailor their attacks based on the victim’s environment.

What makes Matanbuchus 3.0 especially dangerous is its ability to operate fully in-memory. That means it doesn’t write anything suspicious to disk, making it much harder for antivirus software to catch. It also checks the system for tools like Microsoft Defender, SentinelOne, or CrowdStrike and adjusts its behavior to avoid detection.

Even its communication methods have leveled up. The loader can now use DNS-based command-and-control (C2) in the premium version, which costs attackers around $15,000/month. A cheaper version at $10,000/month uses standard HTTPS. Using DNS helps the malware fly under the radar, as DNS traffic often goes unchecked in many corporate networks.

Once inside a system, Matanbuchus 3.0 collects system info, checks what defenses are present, and then downloads additional payloads. While no specific ransomware has been publicly tied to this loader yet, experts believe it’s built to support targeted ransomware campaigns.

This is not a random, wide-scale malware campaign. Matanbuchus 3.0 is designed to hit high-value industries, like finance, law firms, real estate, and healthcare. Its creators clearly expect it to be used by professional hackers who target organizations with the goal of stealing data or demanding large ransoms.

Cybersecurity researchers emphasize how the loader’s professional features, clean code, and stealth tactics point to a serious upgrade in the loader-for-hire market. Companies are being urged to treat any unexpected support calls, especially those asking for Quick Assist or PowerShell access, as suspicious. Employee training and endpoint protection are now more important than ever.

To sum it up, Matanbuchus 3.0 isn’t just another malware. It’s a well-crafted tool built for stealth, precision, and professional exploitation. The fact that it’s available for rent on the dark web shows how dangerous the malware-as-a-service economy has become. Defenders need to stay alert, and treat social engineering as the real first line of attack

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news