Date: 12/29/2025
Severity: High
Summary
Matanbuchus is a C++-based malicious downloader offered as Malware-as-a-Service since 2020. It has evolved through multiple development stages, with version 3.0 observed in the wild in July 2025. The malware allows attackers to deploy additional payloads and execute hands-on keyboard activity via shell commands. Despite its simple design, Matanbuchus has recently been linked to ransomware operations. It consists of two main components: a downloader module and a primary execution module. This ThreatLabz examines its obfuscation methods, persistence mechanisms, and network communication.
Indicators of Compromise (IOC) List
Domains\URLs : | gpa-cro.com mechiraz.com |
Hash : | 92a2e2a124a106af33993828fb0d4cdffd9dac8790169774d672c30747769455
6246801035e053df2053b2dc28f4e76e3595fb62fdd02b5a50d9a2ed3796b153
3ac90c071d143c3240974618d395fa3c5228904c8bf0a89a49f8c01cd7777421
77a53dc757fdf381d3906ab256b74ad3cdb7628261c58a62bcc9c6ca605307ba
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "mechiraz.com" or url like "mechiraz.com" or siteurl like "mechiraz.com" or domainname like "gpa-cro.com" or url like "gpa-cro.com" or siteurl like "gpa-cro.com" |
Detection Query 2 : | sha256hash IN ("77a53dc757fdf381d3906ab256b74ad3cdb7628261c58a62bcc9c6ca605307ba","92a2e2a124a106af33993828fb0d4cdffd9dac8790169774d672c30747769455","3ac90c071d143c3240974618d395fa3c5228904c8bf0a89a49f8c01cd7777421","6246801035e053df2053b2dc28f4e76e3595fb62fdd02b5a50d9a2ed3796b153")
|
Reference:
https://www.zscaler.com/blogs/security-research/technical-analysis-matanbuchus-3-0