Mid-July 2025 brought news of a clever new trick used by attackers to spread the Matanbuchus 3.0 malware loader. They pose as an organization’s IT help desk in Microsoft Teams calls. Once connected, they ask the target to open Quick Assist for “remote support” and then run a short PowerShell command. That command pulls down a ZIP file containing what looks like a Notepad++ update, an XML file, and a malicious DLL. When the updater runs, it side-loads the DLL and drops Matanbuchus into memory without touching the disk. From there it can open reverse shells, run scripts or drop ransomware. It is a vivid example of how social engineering and built-in Windows tools can be combined to slip past most defenses.
The attack begins with social engineering over Microsoft Teams, where threat actors impersonate technical support personnel, often pretending to be from the target organization’s own IT department. These adversaries initiate unsolicited Teams calls under the pretext of resolving a fabricated urgent issue, such as an expired system certificate or a problem with endpoint protection. The goal is to lower the victim’s guard by creating a false sense of urgency and legitimacy. Since Teams is commonly used in enterprise environments, many employees are conditioned to trust communications that occur through it especially when branding, avatars, and internal tone mimic actual IT messaging.
Once the attacker builds trust during the Teams call, they convince the victim to launch Microsoft Quick Assist, a native Windows tool used for remote troubleshooting. Because Quick Assist is digitally signed by Microsoft, it is automatically allowed by many security tools and endpoint defenses. This gives the attacker remote control with user-level privileges, without raising red flags. From there, the attacker leverages the Quick Assist session to paste in a Base64-encoded PowerShell command directly into the victim’s terminal. This command downloads a compressed archive from an attacker-controlled server, typically over HTTPS, and silently extracts it to a temporary or user-accessible folder often using names that mimic benign update utilities to avoid suspicion.
Inside this archive, the attackers deliver a side-loading mechanism leveraging legitimate software binaries, particularly the Notepad++ updater (gup.exe). Alongside this binary are two other files: matdll.dll, the actual malicious payload, and a configuration file (e.g., config.xml) that guides post-execution behavior. When the user is tricked into running the included updater believing it to be a routine system update or fix the executable loads the malicious DLL from the local folder due to how Windows prioritizes DLL loading (known as DLL search order hijacking). This technique is effective because gup.exe is a trusted binary, and the malicious DLL is disguised with a name matching what the application expects to load.
Once loaded into memory, the malicious DLL decrypts its internal configuration and establishes a covert command-and-control (C2) channel back to the attackers. This channel is typically encrypted and may use TLS over common ports (443, 80), or DNS tunneling to blend in with legitimate network activity. The malware operates entirely in-memory, avoiding the creation of permanent files on disk, which drastically reduces its footprint and evades traditional signature-based antivirus solutions. It provides capabilities such as remote command execution, reverse shells, credential harvesting, screenshot capture, and payload staging. In some cases, follow-up tools like Cobalt Strike or ransomware modules may be loaded.
This attack is a textbook example of a living-off-the-land (LotL) approach, where adversaries use native or trusted components of the operating system to carry out malicious operations. It allows them to evade detection while maintaining persistent access. The combination of human-driven social engineering, abuse of remote support tools like Quick Assist, PowerShell-based loaders, and DLL side-loading makes this campaign highly evasive and dangerous, especially in environments lacking robust behavioral monitoring and lateral movement detection
This attack method is especially dangerous because it uses tools that organizations trust and do not block by default. Quick Assist sessions run with the user’s privileges, which are often high in corporate environments. The loader never writes itself to disk, making it hard for traditional antivirus to detect. Once attackers have this foothold they can move across the network, steal credentials, or deploy other malware.
https://www.morphisec.com/blog/ransomware-threat-matanbuchus-3-0-maas-levels-up/
