Exploiting Microsoft Teams – A New Method for Deploying Matanbuchus Ransomware

Cybersecurity researchers have identified a sophisticated new attack campaign in which threat actors are exploiting Microsoft Teams to deploy the Matanbuchus 3.0 ransomware loader, representing a significant evolution in social engineering tactics.

In a recent incident in July 2025, attackers successfully compromised a Morphisec customer by impersonating IT helpdesk personnel through external Microsoft Teams calls, ultimately deploying advanced malware with enhanced evasion capabilities and a price tag of $10,000 for the HTTP variant on underground markets.

New Attack Vector Through Microsoft Teams

The attack methodology demonstrates a concerning shift toward leveraging trusted communication platforms for initial access.

During the documented incident, threat actors contacted victims through external Microsoft Teams calls, successfully impersonating legitimate IT helpdesk personnel.

This social engineering approach proved highly effective, as employees were instructed to activate Quick Assist, a legitimate remote assistance tool, during the engagement.

Once Quick Assist was activated, the attackers guided victims through executing a PowerShell script that triggered the download of a malicious archive.

The archive contained three critical components: a renamed Notepad++ updater (originally GUP.exe, renamed to GenericUpdater.exe), a modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader.

The configuration file employed cybersquatting techniques, redirecting to “notepad-plus-plu[.]org” instead of the legitimate “notepad-plus-plus.org” domain.

Technical Enhancements in Version 3.0

Matanbuchus 3.0 incorporates significant technical improvements that enhance its stealth and effectiveness.

The malware now utilizes MurmurHash3 with a changing seed for API resolution, replacing the previously used FNV1a algorithm.

Data encryption has been upgraded to Salsa20 with a 256-bit key, applied to obfuscate critical information such as C2 domain names and user agents.

The loader demonstrates sophisticated evasion techniques, including indirect system call execution and enhanced reconnaissance capabilities.

It performs comprehensive security stack enumeration, identifying major EDR solutions including Windows Defender, CrowdStrike Falcon, SentinelOne, and others.

This intelligence gathering enables the malware to adapt its execution methods based on the victim’s security infrastructure.

For persistence, the malware employs advanced COM-based task scheduling techniques, creating tasks that execute “regsvr32 -e -n -i: “user” <dll_path>” every five minutes.

This approach utilizes less commonly monitored parameters compared to traditional DLLRegisterServer executions, thereby reducing the likelihood of detection.

The C2 communication protocol impersonates the Skype Desktop application version 8.69.0.77 to blend with legitimate traffic, while supporting multiple payload delivery methods, including MSI installation, process hollowing, and direct command execution capabilities.

The evolution of Matanbuchus poses a significant threat to organizations that rely on Microsoft Teams for business communications, underscoring the need for enhanced security awareness training and robust endpoint protection strategies.