Technical Analysis of Matanbuchus 3.0

This technical analysis details the Matanbuchus malware family: initial access via QuickAssist and an MSI that sideloads HRUpdate.exe, a downloader that brute-forces ChaCha20 keys to decrypt embedded shellcode and retrieve the main module from hardcoded C2 URLs, and a main module that implements ChaCha20-encrypted Protobuf-over-HTTP(S) C2 with extensive capabilities (EXE/DLL/MSI/shellcode execution, process injection, system reconnaissance) and persistence via a scheduled task. The report describes runtime string decryption, dynamic API resolution, anti-analysis busy loops, per-host mutexing, and provides observed indicators and command IDs; ThreatLabz judges the actor likely intended to deploy ransomware with medium confidence.