From a Teams Call to a Ransomware Threat: Matanbuchus 3.0 MaaS Levels Up

This report analyzes Matanbuchus 3.0, a commercially offered malware loader used since 2021 and updated in 2025, describing targeted delivery (Notepad++ updater sideloading via convincing social engineering), robust persistence (COM-based scheduled tasks using regsvr32 -i), multiple next-stage execution methods (MSI, process hollowing, regsvr32/rundll32, cmd/PowerShell/WQL), advanced evasion and in-memory techniques (Salsa20 obfuscation, MurmurHash3 API resolution, indirect syscalls, EDR detection checks), C2 behavior (HTTPS impersonating Skype user-agent), and a list of IOCs and file hashes observed in active campaigns.