Matanbuchus, a premium Malware-as-a-Service loader, has resurfaced in February 2026 following a nearly year-long hiatus.
This latest iteration, version 3.0, features a complete code rewrite and now commands a subscription fee of up to $15,000 per month, a stark increase from its original pricing.
This shift signals a focus on high-value targeted operations rather than mass spam campaigns.
The malware leverages the persistent “ClickFix” social engineering tactic, which tricks users into manually executing malicious commands under the guise of resolving fake browser errors or software updates.
The attack vector bypasses traditional security controls by manipulating human trust rather than exploiting software vulnerabilities.
Victims are presented with deceptive prompts instructing them to copy and paste specific PowerShell or Run dialog commands.
The malicious URL leverages backslashes and path traversal sequences to confuse logging systems.
Since the user technically initiates the process, many standard email and perimeter defenses are evaded. Once executed, the command triggers a silent installation process that operates without any visible user interface.
Huntress analysts identified that this campaign delivers a previously unseen payload dubbed AstarionRAT immediately following the infection.
This custom remote access trojan is equipped with twenty-four distinct commands, including credential theft and SOCKS5 proxying.
The impact is often immediate, with operators moving laterally across the network within forty minutes to target domain controllers.
The ultimate goal appears to be ransomware deployment or data exfiltration, making early detection critical for enterprise security teams.
The Silent Infection Chain
The infection mechanism is deeply layered to evade automated detection. It begins when the victim executes a mixed-case msiexec command that fetches a payload from a newly registered domain.
Upon execution, the installer drops a legitimate but vulnerable Zillya Antivirus binary alongside a malicious DLL into deceptive directories mimicking fake vendors like “AegisLynx” or “DocuRay”.
.webp)
To further mask its activities, the malware utilizes a renamed version of the 7-Zip utility to extract a password-protected archive containing the next stage components.
The malicious DLL is then side-loaded by the antivirus engine to decrypt the Matanbuchus loader.
.webp)
This complex chain eventually launches an embedded Lua interpreter which executes the final AstarionRAT payload directly into memory, leaving minimal forensic artifacts on the disk for investigators to find.
Security teams should configure endpoint detection systems to flag msiexec commands containing mixed-case characters or suspicious URL patterns.
It is critical to monitor for the creation of unusual directories in %APPDATA% and verify network connections to recently registered domains. Finally, train employees to never paste raw commands into their terminals.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
