Matanbuchus

Matanbuchus is a malicious software (malware) that has been actively used in various cyberattacks since July 16, 2022. Initially identified as part of a malspam campaign by Unit 42 in February 2023, it was believed to be a possible drop from the PikaBot malware. However, subsequent analysis revealed Matanbuchus to be a unique malware family. The malware has been linked to ransomware activity related to several strains such as Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play. It has also been associated with off-the-shelf post-exploitation tools like Cobalt Strike and Sliver, as well as other loaders such as IcedID. The Matanbuchus malware loader has been deployed alongside other harmful programs in cyberattacks carried out by threat groups, notably ShadowSyndicate. These include Remote Access Trojans (RATs) like DarkGate and NetSupport, information stealers such as Lumma and Vidar, and penetration testing tools like Sliver and Meterpreter. Cybercriminals have often tricked users into installing malware, including Matanbuchus or DarkGate, through deceptive messages offering "how to fix" or "auto-fix" options, leading to the execution of PowerShell or DLL files. In a recent development reported on March 11, 2024, Matanbuchus has evolved to exploit XLS files to compromise Windows machines. This new method of attack signifies an escalation in its threat level and underscores the need for robust cybersecurity measures. As Matanbuchus continues to adapt and expand its methods, it remains a significant concern for cybersecurity experts globally.