Threat actors are increasingly abusing the Matanbuchus malicious downloader as a key enabler for hands-on-keyboard ransomware operations, using its backdoor-like capabilities to deliver secondary payloads, move laterally, and maintain long-term persistence on compromised systems.
Initially observed in 2020 and offered as Malware-as-a-Service (MaaS), Matanbuchus has steadily evolved, with version 3.0 identified in the wild in July 2025, introducing more sophisticated network serialization and encryption features.
Matanbuchus is written in C++ and primarily functions as a downloader and backdoor, designed to fetch and execute additional payloads.
It consists of two main components: a dedicated downloader module and a main module. The downloader retrieves and launches the main module, which, in turn, provides a flexible command-and-control (C2) framework that enables threat actors to execute binaries, scripts, shellcode, and even .NET payloads directly in memory.
This flexibility has made Matanbuchus increasingly attractive to ransomware operators seeking reliable initial access tooling and post-exploitation control.
Recent activity observed by Zscaler ThreatLabz highlights a campaign in which attackers used Microsoft’s QuickAssist, likely combined with social engineering, to gain remote access to victim systems.
Once access was established, the threat actor executed a malicious Microsoft Installer (MSI) package from a compromised domain, which delivered an executable that sideloaded a malicious DLL.
Overview of Matanbuchus Malware
This DLL acted as the Matanbuchus downloader, pulling the main module from a remote C2 endpoint. ThreatLabz assesses with medium confidence that these actions were part of a broader ransomware deployment chain.
Matanbuchus employs extensive obfuscation and anti-analysis mechanisms to evade detection and hinder reverse engineering.
Strings are stored in encrypted form and decrypted at runtime using the ChaCha20 stream cipher, with encrypted strings and metadata organized in dedicated arrays.
Windows API functions are resolved dynamically via MurmurHash-based hashing, and the codebase is interspersed with junk instructions to frustrate static analysis.
The downloader further incorporates long-running “busy” loops to delay execution by several minutes, attempting to run past typical sandbox timeouts.
Network communication is equally hardened. The downloader includes embedded encrypted shellcode that is decrypted using a brute-force known-plaintext technique against ChaCha20 keys constructed from a decrementing integer seed.
Once decrypted, this shellcode downloads the main module over HTTPS and decrypts it using ChaCha20, chunked in blocks to process large payloads efficiently.
With version 3.0, Matanbuchus adopted Protocol Buffers (Protobufs) to serialize its C2 messages, wrapping encrypted Protobuf data in custom packets that prepend a random key and nonce for each request.
After deployment, the main module registers the compromised host with the C2 server, exfiltrating host and user information, including hostname, username, Windows version and domain, installed security products (such as EDR and XDR solutions), OS architecture, and privilege level.
Mitigations
It then writes a registry marker under the current user hive to track registration state and establishes persistence by executing C2-delivered shellcode that creates a scheduled task named “Update Tracker Task.”
This task launches msiexec.exe with parameters pointing to a randomly named copy of the malware stored in a uniquely generated directory under the APPDATA folder, tied to the system’s volume serial number.
From there, Matanbuchus acts as a full-featured backdoor. It supports commands to download and run EXEs, DLLs, MSI packages, and shellcode; enumerate processes, services, software, and Windows updates; run system commands via CMD, PowerShell, or WMI; and even terminate itself.
ThreatLabz has also documented campaigns where Matanbuchus was used to distribute the Rhadamanthys information stealer and the NetSupport RAT, underscoring its role as a versatile delivery platform.
Coupled with observed hands-on-keyboard activity and a growing association with ransomware affiliates, Matanbuchus represents a mature, evolving MaaS capability that significantly lowers the barrier for conducting complex intrusion and extortion operations.
Indicators Of Compromise (IOCs)
| SHA256 Hash | Description |
|---|---|
| 92a2e2a124a106af33993828fb0d4cdffd9dac8790169774d672c30747769455 | Matanbuchus MSI package |
| 6246801035e053df2053b2dc28f4e76e3595fb62fdd02b5a50d9a2ed3796b153 | Legitimate executable file (HRUpdate.exe) used for sideloading the downloader module |
| 3ac90c071d143c3240974618d395fa3c5228904c8bf0a89a49f8c01cd7777421 | Matanbuchus downloader module |
| 77a53dc757fdf381d3906ab256b74ad3cdb7628261c58a62bcc9c6ca605307ba | Matanbuchus main module |
| gpa-cro[.]com | URL of malicious MSI file |
| mechiraz[.]com | Matanbuchus C2 server |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.