The Unwanted Teams Member: Matanbuchus 3.0 Delivered via Microsoft Teams Impersonation

A new chapter in the evolution of malware-as-a-service (MaaS) threats is unfolding — and it’s happening right inside your collaboration tools. Cybercriminals are now weaponizing Microsoft Teams to deliver Matanbuchus 3.0, a highly evasive loader designed for stealth, persistence, and secondary payload deployment. Through carefully crafted impersonation tactics, attackers masquerade as internal IT support, exploiting employee trust to gain remote access and plant malware within enterprise systems.

This isn’t wide-net phishing. It’s tailored deception, and it’s hitting organizations where they least expect it — in the very tools they use to communicate and collaborate.

Teammates Scammed: Who Are the Victims?

The primary victims of this campaign are corporate employees — particularly those working in large organizations that rely heavily on Microsoft Teams for internal communication and IT support coordination. These employees are directly contacted through spoofed Teams calls by threat actors impersonating members of their own IT department.

Unlike traditional phishing attacks that rely on massive email distribution, this campaign is deliberately narrow and personal. Employees are individually selected, often based on job role or access privileges. They are convinced, often through urgency or the pretense of solving a technical issue, to initiate Quick Assist — a legitimate Windows remote support tool — and follow instructions to execute PowerShell scripts.

The profile of the victims and the nature of the intrusion strongly suggest the attackers may be working on behalf of ransomware operators or initial access brokers who later sell access to compromised environments.

The Enemy Within: How the Breach Unfolds

The breach hinges on trust. Attackers initiate Microsoft Teams calls that appear to originate from the organization’s IT help desk. During these calls, they instruct the target to launch Quick Assist and grant remote access. Once inside, they deliver and execute a PowerShell script that quietly installs the malware.

The payload includes a renamed Notepad++ updater (GUP.exe), accompanied by a tampered XML configuration file. This combination is used for DLL side-loading — a technique that loads a malicious DLL instead of a legitimate one by exploiting how Windows handles dynamic libraries. The final stage of the breach involves deploying the Matanbuchus 3.0 loader via the compromised Notepad++ update process.

Once active, Matanbuchus begins its stealthy work:

• Exfiltrating system data to its command-and-control server

• Scanning for defensive tools and determining user privilege levels

• Downloading additional payloads, including executable files and MSI installers

• Establishing persistence by injecting shellcode into scheduled COM tasks

• Evading endpoint defenses through obfuscation and LOLBins (Living-Off-the-Land Binaries)

This multifaceted approach makes Matanbuchus not just a loader, but a foothold into the victim’s infrastructure — a launchpad for ransomware, surveillance, and deeper intrusion.

The Technical Evolution of Matanbuchus 3.0

Matanbuchus has evolved significantly since its first appearance in 2021 on Russian-speaking forums, where it was offered as a MaaS toolkit for $2,500. Version 3.0 represents a dramatic leap in capability and price — it’s now sold for up to $15,000 per month for the DNS variant.

Key new features in Matanbuchus 3.0 include:

• Enhanced obfuscation to bypass detection

• Support for in-memory execution to avoid disk I/O

• Use of Windows Management Instrumentation (WMI) and WQL queries

• Reverse shell capabilities via CMD and PowerShell

• Execution of regsvr32, rundll32, msiexec, and process hollowing commands

• COM-based persistence mechanisms that exploit ITaskService

These upgrades reflect a shift in loader malware — from basic delivery tools to advanced post-exploitation platforms with flexible modularity.

No Vacancy for Scammers: How to Defend Against Matanbuchus 3.0

Given the human-driven nature of this attack and the abuse of legitimate tools, traditional perimeter defenses are often insufficient. Organizations must adopt a layered approach to threat mitigation, combining user education, endpoint visibility, and strict execution policies.

Recommended Defense Measures:

• User Awareness and Training

  • Conduct regular security awareness programs on social engineering and impersonation attacks.

  • Teach employees to verify internal IT support calls through official channels before granting access.

• Remote Access Restrictions

  • Disable Quick Assist if not operationally required.

  • Restrict use of remote desktop tools to approved devices and authenticated sessions.

• Microsoft Teams Security

  • Monitor and restrict external Teams communications where possible.

  • Flag or block Teams calls from unknown domains or accounts with spoofed names.

• Endpoint Detection and Response (EDR)

  • Deploy EDR solutions capable of detecting:

    • LOLBins usage (regsvr32, rundll32, etc.)

    • Shellcode injection and process hollowing

    • COM object hijacking and ITaskService abuse

  • Monitor for anomalous PowerShell execution patterns.

• PowerShell Hardening

  • Implement PowerShell Constrained Language Mode.

  • Log all script execution via Windows Event Logging and Windows Defender AMSI.

• Application Control

  • Enforce application allowlisting to prevent unauthorized software from running.

  • Block execution of unsigned or modified binaries.

• Scheduled Task Monitoring

  • Audit scheduled tasks regularly, especially those tied to unknown COM objects.

  • Watch for unusual shellcode behavior or new task registrations.

By combining technical controls with vigilant user behavior, enterprises can reduce the risk of falling victim to sophisticated loader malware campaigns like this one.

The use of Microsoft Teams as an initial access vector is a wake-up call. Attackers are no longer knocking at the front gate — they’re slipping in through trusted communication platforms, armed with persuasive scripts and customized payloads. The rise of stealth-first loaders like Matanbuchus 3.0 marks a shift toward quieter, more dangerous intrusions that exploit both people and protocols.

Organizations must move beyond traditional detection models and address the intersection of social engineering, cloud collaboration, and malware delivery. The enemy isn’t always outside — sometimes, they sound like your help desk.

https://thehackernews.com/2025/07/hackers-leverage-microsoft-teams-to.html?m=1