Matanbuchus Downloader Used by Threat Actors for Ransomware and Persistence

The Matanbuchus malware, a long-running Malware-as-a-Service (MaaS) operation first observed in 2020, has resurfaced in recent ransomware campaigns.

Researchers from Zscaler ThreatLabz recently analyzed Matanbuchus version 3.0, discovered in the wild in July 2025.

The latest version showcases notable technical upgrades, including the use of Google Protocol Buffers (Protobufs) for encrypted command-and-control (C2) communication and enhanced anti-analysis mechanisms.

Infection Chain and Obfuscation Methods

In the observed campaign, attackers gained access to victim systems via the QuickAssist remote support tool, likely in combination with social engineering.

Once inside, the threat actors downloaded and executed a malicious Microsoft Installer (MSI) file from the domain gpa-cro[.]com.

This payload included a legitimate executable, HRUpdate.exe, which sideloaded the Matanbuchus downloader DLL. The downloader then fetched the main module from hxxps://mechiraz[.]com/cart/checkout/files/update_info.aspx.

Both Matanbuchus modules use heavy obfuscation to hinder analysis. Strings are encrypted with the ChaCha20 cipher, decrypted only at runtime using a shared key and nonce.

The malware also dynamically resolves Windows API functions by hash via the MurmurHash algorithm and embeds junk code to complicate disassembly.

Long-running “busy loops” within the downloader delay execution, allowing the malware to evade sandbox detection, which typically relies on shorter timeouts.

The downloader carries encrypted shellcode that retrieves and decrypts the main module. It uses a brute-force method to derive the ChaCha20 key, starting from a known plaintext sequence of 21 bytes.

Once decrypted, the shellcode connects to the hardcoded C2 server, downloads the main module over HTTPS, and decrypts it using ChaCha20.

Persistence, Configuration, and Command Execution

After execution, Matanbuchus establishes persistence through shellcode that creates a Windows scheduled task named “Update Tracker Task.”

This task executes msiexec.exe with parameters pointing to the malware’s stored location. A unique mutex, based on the volume serial number, ensures that only one instance runs per host.

Matanbuchus logs system details, including hostname, OS version, domain, and installed security software, before registering with its C2 infrastructure. It then polls for task instructions, serialized as Protobuf messages encrypted with ChaCha20.

Supported commands include downloading and executing EXE, DLL, and MSI payloads; injecting shellcode into new or existing processes; running PowerShell or CMD commands; and collecting system inventory, such as running processes or installed software.

Recent campaigns using Matanbuchus have delivered secondary payloads like the Rhadamanthys information stealer and the NetSupport RAT. ThreatLabz assessed with medium confidence that some of these intrusions were precursors to ransomware deployment.

Zscaler’s cloud-based detection currently flags the threat as Win32.Backdoor.Matanbuchus. Indicators of compromise include hashes of the downloader and main module binaries, with active C2 infrastructure observed at mechiraz[.]com.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Matanbuchus Downloader Used by Threat Actors for Ransomware and Persistence appeared first on Cyber Security News.