{
	"id": "e18b97a2-5d47-43f6-8f47-b991b460fcfb",
	"created_at": "2026-04-06T00:11:27.938193Z",
	"updated_at": "2026-04-10T03:30:57.702648Z",
	"deleted_at": null,
	"sha1_hash": "c30faf10ba26200b4b84920037e19af1df3843c2",
	"title": "Matanbuchus: Malware-as-a-Service with Demonic Intentions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1218055,
	"plain_text": "Matanbuchus: Malware-as-a-Service with Demonic Intentions\r\nBy Jeff White, Kyle Wilhoit\r\nPublished: 2021-06-16 · Archived: 2026-04-02 10:36:22 UTC\r\nExecutive Summary\r\nUnit 42 researchers often spend time investigating what we call non-traditional sources. Non-traditional sources\r\noften include underground marketplaces and sites, spanning from forums on the Tor network to Telegram channels\r\nand other marketplaces. One such case that we investigated involves a threat actor called BelialDemon, who is a\r\nmember of several underground forums and marketplaces.\r\nIn February 2021, BelialDemon advertised a new malware-as-a-service (MaaS) called Matanbuchus Loader and\r\ncharged an initial rental price of $2,500. Malware loaders are malicious software that typically drop or pull down\r\nsecond-stage malware from command and control (C2) infrastructures. Matanbuchus has the following capabilities:\r\nThe ability to launch a .exe or .dll file in memory.\r\nThe ability to leverage schtasks.exe to add or modify task schedules.\r\nThe ability to launch custom PowerShell commands.\r\nThe ability to leverage a standalone executable to load the DLL if the attacker otherwise has no way of\r\ndoing so.\r\nWe discovered several organizations impacted by Matanbuchus including a large university and high school in the\r\nUnited States, as well as a high-tech organization in Belgium.\r\nAfter observing the user BelialDemon operating in well-established underground forums, we’ve noticed they stick\r\nto a particular biblical theme: their name, Belial, along with the name of their new loader, Matanbuchus, stem from\r\nthe Ascension of Isaiah 2:4: \"And Manasseh turned aside his heart to serve Belial; for the angel of lawlessness, who\r\nis the ruler of this world, is Belial, whose name is Matanbuchus.” A fitting theme for their operations.\r\nThis blog sheds light on Matanbuchus, BelialDemon and the malware’s infrastructure.\r\nBelialDemon Overview\r\nIf we look historically, BelialDemon has been involved in the development of malware loaders. BelialDemon is\r\nconsidered the primary developer of TriumphLoader, a loader previously posted about on several forums, and has\r\nexperience with selling this type of malware.\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 1 of 15\n\nFigure 1. Forum posting of BelialDemon showcasing a loader.\r\nLooking over posts such as these in Figure 1, we’ll attempt to locate the files through a litany of means to better\r\nunderstand the functionality of the malware and analyze its activity in the wild – allowing for better protections and\r\nenriched intelligence. BelialDemon was specifically looking to recruit three people as part of their MaaS offering,\r\ncharging an initial rental price of $2,500.\r\nFigure 2. Forum posting for Matanbuchus sale.\r\nSince we have a name for the malware direct from the source, we subsequently went hunting for samples of\r\nMatanbuchus used in the wild. Hunting for a sample of Matanbuchus unearthed a file in the wild called ddg.dll,\r\nwhich is actively being dropped via hxxp://idea-secure-login[.]com. Looking at some of the included strings\r\nshowed we were on the right track.\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 2 of 15\n\nFigure 3. Strings showing MatanbuchusDroper.dll.\r\nAs stated by the malware author, the loader has the following features:\r\nThe ability to launch a .exe or .dll file in memory.\r\nThe ability to leverage schtasks.exe to add or modify task schedules.\r\nThe ability to launch custom PowerShell commands.\r\nThe ability to leverage a standalone executable to load the DLL if the attacker otherwise has no way of\r\ndoing so.\r\nThe question then becomes what does it actually look like in the wild?\r\nThe Excel Dropper\r\nAfter identifying the Microsoft Excel document (SHA256:\r\n41727fc99b9d99abd7183f6eec9052f86de076c04056e224ac366762c361afda) as an initial vector of an attack that\r\ndrops the Matanbuchus Loader DLL, we begin our analysis on this file. When opening the Excel document, you're\r\nmet with the notification that you need to enable macros to view the actual content of the document.\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 3 of 15\n\nFigure 4. Picture of fake Excel warning.\r\nThis file is using a technique more recently favored in attacks leveraging Microsoft Office documents. Specifically,\r\nthere has been a shift from Microsoft Word to Microsoft Excel when trying to launch malicious payloads on\r\nvictims’ systems. This shift is because, using Excel's built-in functions, it is possible to store code distributed\r\nthroughout the spreadsheet cells, offering a native obfuscation that hampers analysis and detection. This is\r\ncolloquially referred to as Excel 4.0 Macros.\r\nFigure 5. Hidden worksheet functions.\r\nThe cells with data will spread across a sea of blank ones which, when executed, will piece together the\r\ninformation. In the example above, note how some of the visible cells in the B column refer to columns and rows\r\nacross the sheet.\r\nFigure 6. Example of an Excel function.\r\nThis GOTO function tells Excel to select a specific cell hundreds of columns over and 1,595 rows down. These\r\ntypes of actions are chained together, and in this document, perform a simple download and execution of said file.\r\nBy removing the blank cells in the document and reviewing the resulting strings, there are many interesting\r\nstandouts that align with the observed behavior of this file in our WildFire malware analysis engine.\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 4 of 15\n\nFigure 7. Excel V4 extracted macro strings.\r\nTaking these at face value, we can see a breakdown in functionality for downloading a file to a certain location and\r\nthe execution of it. In this case, ddg.dll will be downloaded from idea-secure-login[.]com and saved locally as\r\nhcRlCTg.dll. Then the export within the DLL called RunDLL32_Install_COM32 is executed.\r\nAs previously stated, this lines up with expected behavior that was observed in WildFire.\r\nFigure 8. WildFire logged activity.\r\nThe DLL, in this case, is the Matanbuchus Loader DLL file.\r\nMatanbuchus Overview\r\nIn this next section, we'll briefly cover the Matanbuchus malware before we take a look at the infrastructure used.\r\nOverall, Matanbuchus uses two DLLs during the malware’s run cycle. Both DLLs are packed, but it should be\r\nnoted that the first DLL has an internal name of MatanbuchusDroper.dll while the second DLL is named\r\nMatanbuchus.dll. It’s not the stealthiest approach, but helpful to us nonetheless. Additionally, both DLLs are based\r\nat 0x10000000 and use hard coded addresses throughout execution.\r\nOnce Excel downloads the initial DLL, MatanbuchusDroper.dll (SHA256:\r\n7fbaf7420943d4aa327bb82a357cd31ca92c7c83277f73a195d45bd18365cfce), from the idea-secure-login[.]com\r\nsite, the Excel macro will launch and call the export within the DLL labeled RunDLL32_Install_COM32.\r\nThe primary function of this first DLL is, as its name suggests, to drop the main Matanbuchus DLL. However,\r\nbefore that, it will make a number of API calls typically observed in anti-virtualization and anti-debugging checks,\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 5 of 15\n\nsuch as GetCursorPos, IsProcessorFeaturePresent, cpuid, GetSystemTimeAsFileTime, and\r\nQueryPerformanceCounter. These can profile a system to provide indicators to the malware that allow it to\r\ndetermine if it is running in a controlled environment (i.e. a sandbox).\r\nFigure 9. API Call for IsProcessorFeaturePresent.\r\nFigure 10. API Call for cpuid.\r\nEventually, the DLL will move to the next phase and unpack the URL to download the primary Matanbuchus DLL,\r\ndisguised as an XML file called AveBelial.xml. This downloaded file is then saved to\r\nUsers\\ADMINI~1\\AppData\\Local\\Temp\\Run_32DLL_COM32\\shell96.dll. The use of shell96 is an attempt to\r\nblend in with the native system files, suggesting shell32 -\u003e shell64 -\u003e shell96 as a logical progression in naming if\r\nit were real.\r\nFigure 11. Matanbuchus DLL download.\r\nFigure 11. Writing shell96.dll to disk.\r\nPersistence is established by creating a scheduled task to run the new DLL, along with the specific export to call.\r\nFigure 12. Scheduled task for persistence.\r\nNote the attempt to blend the export name of the DLL with words typically found in popular DLLs:\r\nRunDLL32_Install_COM32 and Run_32DLL_COM32. This continues the trend noted above regarding shell96.\r\nThe sample, Matanbuchus.dll (SHA256:\r\naf356a39a298f6a48f8091afc2f2fc0639338b11813f4f4bd05aba4e65d2bbe3), is similar to the first DLL and uses\r\nmultiple types of obfuscation and encoding to hide strings and executable code from static analysis. Unlike the first\r\none, additional steps were taken after unpacking the code to further hide the DLLs it leverages functions from. In\r\nFigure 14, you can see that the sample is building a string, Shell32.dll.\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 6 of 15\n\nFigure 13. Building “Shell32.dll” string.\r\nIf you look at the DLLs it decodes strings for, there are no big surprises: IPHLPAPI.DLL, ws2_32.dll, wininet.dll\r\nand shlwapi.dll. These are common sights when doing malware analysis as they are frequently a precursor to\r\nactions such as writing files or network-based communication.\r\nFinally, this DLL collects various pieces of information about the system, such as hostnames, OS details, network\r\nadapters and so on, before transitioning into a more familiar routine exhibited by remote access trojans (RAT). The\r\nmalware begins to communicate with the same host the DLL was downloaded from – eonsabode[.]at. It then sends\r\nan HTTP POST to kntwtopnbt/8r5kudwrc8/gate[.]php with no referrer, and a user-agent field containing data\r\ninstead of an actual user-agent, making it quite visible and easily detectable.\r\nFigure 14. Network Traffic HTTP POST.\r\nThe requests are Base64 encoded JSON arrays of more encoded data, most likely containing the profiling\r\ninformation of the host.\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 7 of 15\n\nFigure 15. Base64 decoded C2 traffic.\r\nInfrastructure Overview\r\nShifting focus to the domain where the final Matanbuchus DLL came from (eonsabode[.]at), we can see that it\r\nresolves to an IP address in a Google network and has had a number of IP addresses it resolved to since early\r\nFebruary 2021. This aligns with the time we observed BelialDemon advertising their new malware. Additionally,\r\nthe initial domain (idea-secure-login[.]com) that the Excel v4 macro reaches out to for the first Matanbuchus DLL\r\nis also hosted on these same IP addresses.\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 8 of 15\n\nFigure 17. DNS resolutions for eonsabode[.]at.\r\nWhen looking at each of the individual IP addresses and their previous resolutions, a number of patterns begin to\r\nemerge in the domains that exist on each one, further grouping the malicious activity together.\r\nFor example, consider the following three most recent IP addresses and a subset of their resolutions:\r\n34.94.151[.]129\r\n34.106.243[.]174\r\n34.105.89[.]82\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 9 of 15\n\nThe immediately observable patterns here include the usage of domains registered with the Austria ccTLD \"at,\" the\r\nusage of \"24\" within the domain names, and the use of the words \"login,” \"online,\" \"sso\" and \"secure.” These are in\r\nline with BelialDemon's previous attempts to hide in plain sight by using “good” words.\r\nGiven this, we pulled all of the passive DNS resolutions for each IP the original malicious domains resolved to\r\nsince February 2021. Focusing specifically on domains with multiple connections, we're left with a graph that\r\nneatly clusters potentially related domains.\r\nFigure 18. Connection map of IP and Domains.\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 10 of 15\n\nWithin this subset of domains, there are numerous clusters based on various aspects of the domain names, and\r\nwe've individually clustered them below.\r\nPattern: Theme of biznesplanet\r\nPattern: Usage of \"24\"\r\nPattern: Usage of Austria ccTLD\r\nPattern: Fake Adobe Flash updates\r\nPattern: Usage of “Idea”\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 11 of 15\n\nPattern: Theme of “Wallet,” possibly crypto-related\r\nThe domains and themes primarily appear focused on phishing, and while not all of these domains are related to the\r\nMatanbuchus malware, it appears they are all malicious and likely operated by the same entities. For example, the\r\n\"Fake Flash Updates\" were associated with malicious APK files, as noted by the Malware Hunter Team on Twitter,\r\nadding further weight to this theory. Some of these domains may be staged for future campaigns and may not have\r\nbeen utilized yet.\r\nConclusion\r\nThis blog highlights how threat intelligence can be generated from hunting for threats observed in the wild and how\r\nsmall pieces of seemingly disparate data can chain together to strengthen analysis, extract indicators and improve\r\ndefenses for your organization before being impacted.\r\nPalo Alto Networks customers are protected from this threat by:\r\nWildFire: All known samples are identified as malware.\r\nCortex XDR with:\r\nIndicators for Matanbuchus.\r\nNext-Generation Firewalls: DNS Signatures detect the known command and control (C2) domains, which\r\nare also categorized as malware in Advanced URL Filtering.\r\nAutoFocus: Tracking related activity using the Matanbuchus tag.\r\nIndicators of Compromise\r\nNote Value\r\nExcel Dropper\r\nSHA256\r\n41727fc99b9d99abd7183f6eec9052f86de076c04056e224ac366762c361afda\r\nMatanbuchus\r\nLoader\r\n7fbaf7420943d4aa327bb82a357cd31ca92c7c83277f73a195d45bd18365cfce\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 12 of 15\n\nSHA256\r\nMatanbuchus\r\nMain SHA256\r\naf356a39a298f6a48f8091afc2f2fc0639338b11813f4f4bd05aba4e65d2bbe3\r\nMatanbuchus\r\nLoader\r\nDomain\r\nidea-secure-login[.]com\r\nMatanbuchus\r\nLoader URL\r\nidea-secure-login[.]com/3/ddg.dll\r\nMatanbuchus\r\nMain Domain\r\neonsabode[.]at\r\nMatanbuchus\r\nMain URL\r\neonsabode[.]at/kntwtopnbt/iqiw922vv5/AveBelial.xml\r\nMatanbuchus\r\nLoader\r\nFileName\r\nddg.dll\r\nMatanbuchus\r\nLoader\r\nFileName\r\nhcRlcTg.dll\r\nMatanbuchus\r\nMain\r\nFileName\r\nshell96.dll\r\nMatanbuchus\r\nLoader Export\r\nRunDLL32_Install_COM32\r\nMatanbuchus\r\nMain Export\r\nRun_32DLL_COM32\r\nMatanbuchus\r\nLoader\r\nCommandLine\r\nschtasks.exe /Create /SC MINUTE /MO 2 /TN Run_32DLL_COM32 /TR\r\n\"C:\\Windows\\System32\\rundll32.exe\r\nC:\\Users\\Admin\\AppData\\Local\\Temp\\Run_32DLL_COM32\\shell96.dll,Run_32DLL_COM32\"\r\nMatanbuchus\r\nMain FilePath\r\nC:\\Users\\Admin\\AppData\\Local\\Temp\\Run_32DLL_COM32\\\r\nAdditional\r\nMalicious\r\nDomains\r\nbiznesplanet-bnpparlba[.]com\r\nbiznesplanet-parlbabnp[.]com\r\nbiznesplanet-parlbas[.]com\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 13 of 15\n\nbiznesplanet.parlbabnp[.]com\r\nlogin-biznesplanet[.]com\r\nbos24-logowan[.]com\r\nbos24-logowanie[.]com\r\nbos24-online[.]com\r\nibos-online24[.]com\r\nibos24-login[.]com\r\nibos24-online[.]com\r\nlogin-bos24[.]com\r\ncitationsherbe[.]at\r\nflowsrectifie[.]at\r\nodatingactualiz[.]at\r\nflash-player-update[.]digital\r\nflash-update[.]digital\r\nflashplayer-update[.]digital\r\nflashupdate[.]digital\r\nplayer-update[.]digital\r\nplayerupdate[.]digital\r\nupgrade-flash-player[.]digital\r\nsso-cloud-idea[.]com\r\ndostawapapajohns[.]online\r\nonlinepapajohns[.]online\r\npapa-johns-dostawa[.]digital\r\npapa-johns-dostawa[.]online\r\nlogin.wallet-secure[.]org\r\nwallet-secure[.]biz\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 14 of 15\n\nwallet-secure[.]me\r\nwallet-secure[.]org\r\nwallet-secure[.]site\r\nwallet-secure[.]xyz\r\nSource: https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nhttps://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/"
	],
	"report_names": [
		"matanbuchus-malware-as-a-service"
	],
	"threat_actors": [
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434287,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c30faf10ba26200b4b84920037e19af1df3843c2.pdf",
		"text": "https://archive.orkl.eu/c30faf10ba26200b4b84920037e19af1df3843c2.txt",
		"img": "https://archive.orkl.eu/c30faf10ba26200b4b84920037e19af1df3843c2.jpg"
	}
}