A New RAT and a Hands-on-Keyboard Intrusion

This report describes a February 2026 intrusion where attackers used ClickFix social engineering to silently install an MSI that deployed the Matanbuchus 3.0 loader, which in turn delivered a new, full-featured implant called AstarionRAT; the operator performed rapid lateral movement, attempted domain controller compromise and rogue account creation, and likely aimed for ransomware deployment or data exfiltration. The analysis includes in-depth technical breakdowns of multi-stage sideloading, ChaCha20/RC4/Heaven's Gate techniques, an embedded Lua interpreter and reflective loaders, 24 RAT commands (including credential theft and SOCKS5), IOCs, YARA rules, and detection/remediation guidance.