Attackers are using Microsoft Teams calls to trick users into installing the Matanbuchus malware loader, which frequently precedes ransomware deployment, according to researchers at Morphisec.
Matanbuchus is a malware-as-a-service offering that allows threat actors to install additional payloads onto infected Windows systems.
“Over the past nine months, Matanbuchus has been used in highly targeted campaigns that have potentially led to ransomware compromises,” Morphisec says.
“Recently, Matanbuchus 3.0 was introduced with significant updates to its arsenal. In one of the most recent cases (July 2025), a Morphisec customer was targeted through external Microsoft Teams calls impersonating an IT helpdesk. During this engagement, Quick Assist was activated, and employees were instructed to execute a script that deployed the Matanbuchus Loader.”
The threat actors use social engineering to walk the employee through the download of a malicious file, which results in malware installation.
“[V]ictims are carefully targeted and persuaded to execute a script that triggers the download of an archive,” the researchers write. “This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader. In previous campaigns from September 2024, an MSI installer was downloaded, which ultimately led to a similar flow of Notepad++ updater sideloading execution.”
Once the malware is installed, it creates a stealthy foothold to maintain persistence on the infected system.
“To continuously dial home, Matanbuchus needs to create persistency; this is achieved by scheduling a task,” Morphisec says. “While it sounds simple, Matanbuchus developers implemented advanced techniques to schedule a task through the usage of COM and injection of shellcode.”
AI-powered security awareness training can enable your employees to recognize social engineering tactics and help prevent ransomware actors from gaining initial access to your network. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Morphisec has the story.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
