Matanbuchus is a C++-based malicious downloader that has been distributed as a Malware‑as‑a‑Service (MaaS) offering since 2020. Version 3.0, observed in July 2025, introduces Protobuf-based serialization, ChaCha20 encryption, and multiple new anti-analysis techniques. The malware is composed of a downloader module that retrieves a primary backdoor module from its C2 server, then handles persistence, command execution, and delivery of follow-on payloads. It has been tied to ransomware incidents and to campaigns distributing the Rhadamanthys information stealer and NetSupport RAT.
The analysis describes two components, a downloader and a main module, and walks through the initial infection chain using QuickAssist, a malicious MSI hosted on gpa-cro.com, and a side-loaded DLL posing as HRUpdate.exe. The downloader reaches out to mechiraz.com to obtain the main module, which then registers with the C2, creates a scheduled task named Update Tracker Task, and sets a per-host mutex. C2 traffic flows over HTTPS using encrypted Protobuf messages secured with ChaCha20 keys and nonces.
Defensive measures include blocking the malicious gpa-cro.com and mechiraz.com domains at the network edge, monitoring for creation of the Update Tracker Task and the associated HKCU registry key, and enforcing application whitelisting to stop untrusted MSI packages and side-loaded DLLs from executing. Security teams should detect characteristic ChaCha20-encrypted traffic and restrict the use of Windows utilities such as msiexec for unsigned or unverified files.
When Matanbuchus activity is detected, isolate the impacted system, capture the scheduled task definition, registry entry, mutex value, and any retrieved payloads, and then remove the malicious binaries and tasks. Perform comprehensive endpoint forensics to uncover second-stage payloads and any exfiltrated data, followed by resetting exposed credentials and remediating affected Active Directory accounts.
