Microsoft Teams Call Weaponized to Deploy and Execute Matanbuchus Ransomware

A sophisticated cyberattack campaign has emerged in July 2025, weaponizing Microsoft Teams calls to deploy the latest iteration of Matanbuchus ransomware.

The attack begins with adversaries impersonating IT helpdesk personnel through external Teams calls, leveraging social engineering tactics to convince employees to execute malicious scripts.

During these fraudulent support sessions, attackers activate Quick Assist and instruct victims to run PowerShell commands that ultimately deploy the Matanbuchus 3.0 loader, marking a significant evolution in the malware’s delivery mechanisms.

Matanbuchus, operating as a Malware-as-a-Service (MaaS) platform since 2021, has undergone substantial enhancements in its third iteration.

The malware functions as a sophisticated loader primarily designed to download and execute secondary payloads on compromised Windows systems, serving as a critical entry point for various cyberattacks that frequently culminate in ransomware deployment.

The latest version introduces advanced capabilities including improved communication protocols, enhanced obfuscation techniques, and comprehensive system reconnaissance features that enable attackers to tailor subsequent attacks based on the victim’s security infrastructure.

Morphisec analysts identified this campaign during active monitoring of their customer environments, intercepting the HTTP variant of Matanbuchus 3.0 before its public advertisement on underground forums.

The malware is currently being offered at $10,000 for the HTTP variant and $15,000 for the DNS variant, indicating the operators’ confidence in its effectiveness and the substantial resources invested in its development.

The researchers noted that the interception occurred prior to the malware’s public release, suggesting that adversaries were distributing the HTTP loader within trusted circles or utilizing it in their own operations.

The attack methodology represents a concerning shift toward leveraging legitimate business communication platforms for malicious purposes.

Victims receive seemingly authentic IT support calls through Microsoft Teams, creating an environment of trust that facilitates the execution of malicious instructions.

The attackers’ use of Quick Assist, a legitimate Microsoft remote assistance tool, further legitimizes their presence on victim systems while providing the necessary access to deploy their malicious payloads.

This campaign demonstrates the evolving landscape of ransomware delivery mechanisms, where traditional email-based phishing attacks are supplemented by direct voice communication through trusted platforms.

The combination of social engineering through Teams calls and the technical sophistication of Matanbuchus 3.0 creates a formidable threat that can bypass traditional security awareness training and technical controls.

Advanced Persistence and Evasion Mechanisms

The Matanbuchus 3.0 loader employs a sophisticated persistence mechanism that leverages Windows Task Scheduler through COM manipulation and shellcode execution.

Upon successful initial infection, the malware creates a scheduled task named “EventLogBackupTask” that executes every five minutes, ensuring continuous system presence and command-and-control communication.

The persistence implementation utilizes a unique combination of regsvr32 parameters: regsvr32 -e -n -i:"user".

This technique is particularly evasive as the -e parameter executes silently while suppressing errors, the -n parameter allows the loader to run without modifying the registry, and the -i:"user" parameter automatically triggers the exported DllInstall function.

This approach is significantly less monitored than traditional DllRegisterServer or DllUnregisterServer functions, making detection more challenging for security solutions.

The malware’s command-and-control communication demonstrates advanced evasion techniques by impersonating legitimate Skype desktop traffic.

The loader uses the user agent string Skype/8.69.0.77 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 to blend with normal network traffic while communicating with the C2 server at nicewk[.]com over port 443.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now