Matanbuchus Malware Evolves to Bypass AV Defenses by Swapping Core Components

Matanbuchus is a malicious C++-based downloader that has been sold as Malware-as-a-Service (MaaS) since 2020.

Initially known as a simple loader for second-stage payloads, it has steadily evolved into a flexible backdoor platform that is increasingly tied to ransomware operations.

In July 2025, researchers observed Matanbuchus version 3.0 in the wild, featuring redesigned components, stronger obfuscation, and a new use of Protocol Buffers (Protobuf) for command-and-control (C2) traffic.

At a high level, Matanbuchus consists of two core components: a downloader module and a main module.

Together, these enable threat actors to deploy additional payloads, maintain persistence, and conduct hands-on-keyboard activity via shell commands. Its constant evolution and component changes make it harder for traditional antivirus and static detection to keep pace.

In recent attacks analyzed by Zscaler ThreatLabz, operators did not rely solely on automated delivery chains. Instead, they combined social engineering and built-in Windows tools to deploy Matanbuchus manually.

The attack typically begins with the misuse of Microsoft’s Quick Assist remote support feature. By convincing a victim to grant access, the threat actor gains an interactive session on the target system.

From there, they use the command line to download and execute a malicious MSI installer from a compromised domain (gpa-cro[.]com). This MSI drops an executable named HRUpdate.exe, which is abused for DLL sideloading.

The sideloaded DLL is the Matanbuchus downloader module. Once loaded into the HRUpdate.exe process, it retrieves the main Matanbuchus module from a hardcoded C2 URL (mechiraz[.]com/cart/checkout/files/update_info.aspx).

ThreatLabz assesses with medium confidence that such intrusion chains are often staged to lead into full ransomware deployment inside the victim environment.

Obfuscation and anti-analysis

Matanbuchus 3.0 invests heavily in obfuscation and anti-analysis, making static and automated detection difficult.

Both the downloader and main modules store strings in encrypted form using the ChaCha20 stream cipher. Two arrays are used: one for the encrypted strings and another describing each string’s index and size.

A shared key and nonce, stored in the first 44 bytes of the array, are used to decrypt strings at runtime. This design lets the malware keep sensitive artifacts such as URLs, process names, and API names hidden from simple signature-based scanners.

Instead of importing Windows APIs directly, Matanbuchus resolves functions dynamically using the MurmurHash algorithm.

By hashing API names and looking them up at runtime, it avoids clearly readable imports in the binary, a common heuristic for endpoint security products.

To further frustrate analysis, the code is cluttered with junk instructions and long-running “busy” loops. These loops delay real malicious activity for several minutes, increasing the chance that sandbox systems with short analysis timeouts will miss its behavior.

The combination of junk code, runtime decryption, and delayed execution allows Matanbuchus to slip past many automated detection workflows.

The downloader module hides an embedded, encrypted shellcode responsible for fetching and executing the main module. It uses a brute-force known-plaintext attack to unlock this shellcode, iterating from the integer value 99999999 downward.

Each integer is converted into an 8-byte string and prepended to a 24-byte hardcoded value to build a 32-byte ChaCha20 key, paired with a fixed 12-byte nonce.

The decrypted result is compared against a known 21-byte plaintext sequence; only when it matches does execution continue.

Once decrypted, the shellcode downloads the main module over HTTPS from a hardcoded C2 and decrypts the payload using ChaCha20.

Version 3.0 introduces Protobuf-serialized data for C2 communication, with each packet containing a random key and nonce prepended to the encrypted Protobuf structure. Request IDs define actions such as registering the bot, fetching tasks, and reporting task results.

Persistence, configuration, and ransomware

The main module establishes persistence by downloading and running shellcode from the C2 after registration.

Matanbuchus starts by registering the compromised host with the C2 server and then requests a set of tasks from the server.

This shellcode creates a scheduled task named “Update Tracker Task” that launches msiexec.exe with a -z parameter pointing to the Matanbuchus binary in a randomly generated directory under APPDATA.

It supports direct execution, process injection (frequently into msiexec.exe), and in-memory .NET loading, and can run arbitrary system commands via CMD, PowerShell, or WMI.

The directory name is derived from the disk volume serial number, and the malware uses a mutex based on this name to ensure only one instance runs.

Configuration data is stored in an encrypted blob that also relies on ChaCha20. It contains the C2 URL, campaign ID, and an expiration date used as an anti-analysis safeguard.

Although Matanbuchus checks this expiration only at startup, it helps limit long-term exposure of specific campaigns.

Once registered, the malware can download and execute EXE, DLL, MSI, shellcode, and ZIP-packaged payloads using a broad set of execution techniques.

Recent campaigns have used Matanbuchus to deploy Rhadamanthys infostealer and NetSupport RAT, and its growing use in hands-on-keyboard ransomware intrusions shows that it is evolving into a preferred initial access and control tool for financially motivated threat actors.

Indicators Of Compromise (IOCs)

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.