{
	"id": "bc970c71-b412-4569-8a61-e877fcda3e37",
	"created_at": "2026-04-06T00:21:17.127223Z",
	"updated_at": "2026-04-10T13:12:19.481867Z",
	"deleted_at": null,
	"sha1_hash": "f7510e4e2a254314d041b877c8f7ab59b5271362",
	"title": "Matanbuchus Loader Resurfaces - Cyble",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 835434,
	"plain_text": "Matanbuchus Loader Resurfaces - Cyble\r\nPublished: 2022-06-23 · Archived: 2026-04-05 19:24:18 UTC\r\nCyble takes a look at Matanbuchus, a malware loader that delivers Cobalt Strike Beacons via Spam Campaigns.\r\nResearchers discovered that Matanbuchus, a malware loader, was available on Russian-speaking cybercrime forums\r\nfor a rental price of $2500 from February 2021.\r\nRecently, Cyble Research Labs came across a Twitter post where a researcher observed this malware spreading\r\nthrough spam campaigns. Additionally, it downloads Cobalt Strike Beacons as payloads in compromised systems.\r\nFigure 1 shows the infection chain of the Matanbuchus malware.\r\nFigure 1 – Infection Chain of Matanbuchus\r\nWorld's Best AI-Native Threat Intelligence\r\nThe Matanbuchus infection starts through spam emails containing a ZIP attachment. This ZIP attachment contains\r\nan HTML file.\r\nhttps://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nPage 1 of 10\n\nFigure 2 – Spam Email with ZIP Attachment\r\nUpon executing the HTML file, it decodes the base64 content embedded in the file and drops a ZIP file in the\r\nDownloads folder.\r\nHowever, there is a code present in the HTML file which shows that the ZIP file is in the OneDrive location, as\r\nshown below.\r\nFigure 3 – ZIP Attachment in HTML Page\r\nThe ZIP file contains an MSI installer file. After extraction, it shows a fake error message upon the execution of the\r\nMSI file, as shown below.\r\nhttps://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nPage 2 of 10\n\nFigure 4 – Adobe Fake Error Message\r\nHowever, in the background, the MSI installer drops a Dynamic Link Library (DLL) and VBS file in the following\r\nlocations.\r\nC:\\Users\\\u003cAdmin\u003e\\AppData\\Local\\AdobeFontPack\\main.dll\r\nC:\\Users\\\u003cAdmin\u003e\\AppData\\Local\\AdobeFontPack\\notify.vbs\r\nThe malware uses the VBS file to show fake error messages.\r\nFigure 5 – Dropped DLL and VBS files\r\nAdditionally, the malware downloads another DLL file with an NLS extension from\r\nhttps[:]//telemetrysystemcollection[.]com in the below location. C:\\Users\\\u003cAdmin\u003e\\AppData\\Local\\x86\\\u003c4-digit\r\nHex Value\u003e.nls\r\nThe downloaded file is a copy of main.dll, which is another way to get the latest version of this malware from the\r\nremote server.\r\nFigure 6 – Dropped Copy of Malware DLL File with .nls Extension\r\nAfter dropping the DLL files, the MSI file launches regsvr32.exe and loads the malicious main.dll file to download\r\nthe actual Matanbuchus malware.\r\nThe below figure shows the process chain of the MSI file.\r\nFigure 7 – Process Chain\r\nTechnical Analysis\r\nWe have taken the below sample hash for analysis :\r\n(SHA256), 14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f  \r\nhttps://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nPage 3 of 10\n\nWe found that the malicious binary is a 32-bit DLL file based on static analysis.\r\nThe main function of dropped DLL files (main.dll) is to act as a loader and download the actual Matanbuchus DLL\r\nfrom the C\u0026C server.\r\nBefore downloading the DLL file , it calls APIs such as IsProcessorFeaturePresent(), GetSystemTimeAsFileTime() ,\r\nIsDebuggerPresent(),  QueryPerformanceCounter() and cpuid to ensure that the malware is not running under a\r\ncontrolled environment such as VMware, Sandbox, etc.\r\nFigure 8 – Anti-debug Check\r\nThe malware executes an export function called HackCheck(), which runs a decryption loop on encrypted strings\r\nand prints the output using the OutputDebugStringA() API. The below figure shows the encrypted string and\r\ndecryption code.\r\nFigure 9 – HackCheck Function\r\nTo establish persistence, the malware creates a scheduled task to run the 8c01.nls file with a specific function by\r\nusing the following command line.\r\n%windir%\\system32\\regsvr32.exe -n -i:”UpdateСheck” “C:\\Users\\\u003cAdmin\u003e\\AppData\\Local\\x86\\8c01.nls”\r\nhttps://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nPage 4 of 10\n\nThis scheduled task checks the malware version and downloads the latest version from the remote server every 60\r\nseconds.\r\nFigure 10 – Scheduled Task Entry for Persistence\r\nThen, the malware connects to the below URL and receives this base64-encoded response:\r\n“hxxp://telemetrysystemcollection[.]com/m8YYdu/mCQ2U9/home.aspx”\r\nThe malware decodes the base64 content, an XOR encrypted binary that will be decrypted using a hardcoded key\r\nFuHZu4rQgn3eqLZ6FB48Deybj49xEUCtDTAmF.\r\nThe decrypted content is the actual Matanbuchus malware that will be mapped into the same process and executed\r\nusing the export function DllRegisterServer.\r\nThe below figure shows the URL, XOR key, and export function names during runtime.\r\nFigure 11 – URL and XOR key to download Actual Matanbuchus DLL\r\nThe below figure shows the hardcoded strings related to Matanbuchus present in the memory of regsvr32.exe. This\r\nindicates that the actual payload is loaded and executed in the memory without ever dropping it on the disk.\r\nhttps://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nPage 5 of 10\n\nFigure 12 – Hardcoded Matanbuchus Strings\r\nThe Matanbuchus payload is responsible for executing other exe payloads as well as loading and executing\r\nshellcodes and malicious DLL files.\r\nNetwork Activities\r\nThe Matanbuchus payload connects to C\u0026C server\r\nhxxp://collectiontelemetrysystem[.]com/cAUtfkUDaptk/ZRSeiy/requets/index.php and sends the base64-encoded\r\nPOST request.\r\nThe decoded base64 content is in JSON, as shown in Figure 13.\r\nThe JSON values are encrypted using the RC4 key and encoded using base64. These will further be decrypted on\r\nthe server-side. This gives the TA victim details such as MAC address, computer name, etc.\r\nFigure 13 – POST Request to C\u0026C Server\r\nFinally, Matanbuchus malware downloads two Cobalt Strike Beacons from the C\u0026C servers.\r\nFirst Cobalt-Strike Beacon:\r\nThe malware first downloads a file “cob23_443.txt” from hxxp://144.208.127[.]245/cob23_443.txt. This is a\r\nhexadecimal binary file that will further be converted to ASCII characters and then downloads Cobalt Strike\r\nBeacons from hxxps://extic[.]icu/empower/type.tiff.\r\nhttps://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nPage 6 of 10\n\nThe below figure shows the network communication which downloads the first Cobalt Strike Beacon.\r\nFigure 14 – C\u0026C details of First Cobalt-Strike Payload\r\nSecond Cobalt-Strike Beacon:\r\nAfter downloading the first beacon, Matanbuchus downloads a second Cobalt Strike DLL file named\r\n“cob_220_443.dll” from another URL:\r\nhxxp://144.208.127[.]245/cob_220_443.dll\r\nThe below figure shows the network communication that downloads the second Cobalt Strike Beacon.\r\nFigure 15 – C\u0026C details of Second Cobalt-Strike Payload\r\nC\u0026C Commands\r\nThe Matanbuchus malware executes the following C\u0026C commands.\r\nRunning exe\r\nhttps://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nPage 7 of 10\n\nStarting the exe with parameters\r\nHigh start exe\r\nRunDll32 \u0026 Execute\r\nRegsvr32 \u0026 Execute\r\nRun CMD in memory\r\nRun PS in memory\r\nMemLoadDllMain || MemLoadExe\r\nMemLoadShellCode\r\nMemLoadShellCode #2\r\nRunning dll in memory #2 (DllRegisterServer)\r\nRunning dll in memory #3 (DllInstall(Install))\r\nRunning dll in memory #3 (DllInstall(Unstall))\r\nCrypt update \u0026 Bots upgrade\r\nUninstall\r\nConclusion\r\nThreat Actors use various techniques to deploy their malicious payloads into the victim’s system. In this case, we\r\nobserved the TAs used Matanbuchus malware loader to deliver Cobalt Strike Beacons.\r\nCyble Research Labs will closely monitor the Matanbuchus malware group and other TAs and analyze them to\r\nbetter understand their motivations and TTPs.\r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below: \r\nAvoid downloading files from unknown websites.\r\nUse a reputed anti-virus and internet security software package on your connected devices, including PC,\r\nlaptop, and mobile.\r\nRefrain from opening untrusted links and email attachments without first verifying their authenticity.\r\nEducate employees in terms of protecting themselves from threats like phishing’s/untrusted URLs.\r\nMonitor the beacon on the network level to block data exfiltration by malware or TAs.\r\nEnable Data Loss Prevention (DLP) Solution on the employees’ systems.\r\nMITRE ATT\u0026CK® Techniques\r\nTactic Technique ID Technique Name\r\nInitial Access T1566 Phishing\r\nExecution\r\nT1204\r\nT1059\r\nUser Execution\r\nCommand and Scripting Interpreter\r\nhttps://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nPage 8 of 10\n\nPersistence T1053 Scheduled Task/Job\r\nDefence Evasion T1497 Virtualization/Sandbox Evasion\r\nLateral Movement T1021 Remote Services\r\nCNC T1071 Application Layer Protocol\r\nIndicator Of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n5698e2786aafbda7e252d89829250112\r\n2521a69b98265e08c30f1d175f29865801e2aa15\r\nd19ebb3abfbef6365accb6368973b8d10779cbf80a72fd28c8f2b9dd223ac288\r\nMD5\r\nSHA1\r\nSha256\r\nSpam email\r\n41049c329659e51ccca47c13b8021c14\r\n50dd607fb2147457fb5978a591e9d2f46b412d24\r\n72426e6b8ea42012675c07bf9a2895bcd7eae15c82343b4b71aece29d96a7b22\r\nMD5\r\nSHA1\r\nSha256\r\nEmail\r\nAttachment\r\nZIP file\r\n3e757306c45b710d739a802fbd1fb69f\r\n60c1dc0b885ac77b8f670b636c8d404654362354\r\nd0e2e92ec9d3921dc73b962354c7708f06a1a34cce67e8b67af4581adfc7aaad\r\nMD5\r\nSHA1\r\nSha256\r\nHTML file\r\nf177b0ec8a79756f45f8cf0fb9b99c07\r\n1b18d12dc5c14e68b271164ff63647a6d2eb090d\r\n63242d49d842cdf699b0ec04ad7bba8867080f8337d3e0ec7e768d10573142b3\r\nMD5\r\nSHA1\r\nSha256\r\nZIP file from\r\nHTML\r\nff82937564ff59eb6207f079cdc8e43d\r\n7cfe0a71c4a2508a1af80e640ec8b1b034edb604\r\nface46e6593206867da39e47001f134a00385898a36b8142a21ad54954682666\r\nMD5\r\nSHA1\r\nSha256\r\nMSI file\r\n8cb8cf84ab20159702e6803cd6ce364a\r\n05103f90540f3e8a9599e9f1ab6a11c791aec393\r\n14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f\r\nMD5\r\nSHA1\r\nSha256\r\nDLL file\r\n0308aa2c8dab8a69de41f5d16679bb9b\r\nc6827bf44a433ff086e787653361859d6f6e2fb3\r\n0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489\r\nMD5\r\nSHA1\r\nSha256\r\nVBS file\r\n8cb8cf84ab20159702e6803cd6ce364a\r\n05103f90540f3e8a9599e9f1ab6a11c791aec393\r\n14debc481aa0a26d3a0bdeed0e56b3ae9e301220f2606aae624d57a9d0617d6f\r\nMD5\r\nSHA1\r\nSha256\r\nNLS file\r\n314a641ee6ef932f4c561388bd539090\r\nf20a688766f3c7105b64a6342277879d751de6f3\r\nMD5\r\nSHA1\r\n1st Cobalt\r\nStrike\r\nhttps://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nPage 9 of 10\n\n1e9aaf1375d9f7403644b4bea2c6fe679579bf61945ba6bdb54cc7cd7b728211 Sha256 Payload\r\n40d5b499d9213f44ca786d56b6e10907\r\n73b17544d1e42dc12d4af1d19343e2c7456a4a0b\r\n80e3212beed371025ba8c3eb32bea41de85d856941506f2a5255377069449c95\r\nMD5\r\nSHA1\r\nSha256\r\n2nd  Cobalt\r\nStrike\r\nPayload\r\n97fc6726f396c4b86bc84ca97e787637\r\nad6e5024a0be6f69370e7a0482a2baa27c4a25be\r\na5b06297d86aee3c261df7415a4fa873f38bd5573523178000d89a8d5fd64b9a\r\nMD5\r\nSHA1\r\nSha256\r\nXORed file\r\n8fc15b030254c0d49f18d06c696d6986\r\n75f62f4d419b921bc081b5e8387665ac3cffd0d7\r\nbd68ecd681b844232f050c21c1ea914590351ef64e889d8ef37ea63bd9e2a2ec\r\nMD5\r\nSHA1\r\nSha256\r\nDLL file\r\nfrom XORed\r\nfile\r\nhxxp://telemetrysystemcollection[.]com/m8YYdu/mCQ2U9/home.aspx URL\r\nMatanbuchus\r\ntraffic\r\nhxxps://extic[.]icu/empower/type.tiff URL\r\n1st Cobalt\r\nStrike URL\r\nSource: https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nhttps://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2022/06/23/matanbuchus-loader-resurfaces/"
	],
	"report_names": [
		"matanbuchus-loader-resurfaces"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d9b39228-0d9d-4c1e-8e39-2de986120060",
			"created_at": "2023-01-06T13:46:39.293127Z",
			"updated_at": "2026-04-10T02:00:03.277123Z",
			"deleted_at": null,
			"main_name": "BelialDemon",
			"aliases": [
				"Matanbuchus"
			],
			"source_name": "MISPGALAXY:BelialDemon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434877,
	"ts_updated_at": 1775826739,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f7510e4e2a254314d041b877c8f7ab59b5271362.pdf",
		"text": "https://archive.orkl.eu/f7510e4e2a254314d041b877c8f7ab59b5271362.txt",
		"img": "https://archive.orkl.eu/f7510e4e2a254314d041b877c8f7ab59b5271362.jpg"
	}
}