Matanbuchus Malware Evades AV Detection by Downloader Evading

Matanbuchus malware has re-emerged on the threat landscape, equipped with refined tactics and improved tools specifically engineered to bypass traditional antivirus detection.

This malware, known for its role as a stealthy downloader, is actively being used to deliver more dangerous payloads, including ransomware, onto targeted systems.

Recent activity shows that operators behind Matanbuchus are not only reviving the malware but also reshaping its delivery methods to blend in with normal enterprise activity.

The latest wave of campaigns relies heavily on Microsoft Installer (MSI) files to drop the Matanbuchus downloader on victim machines.

These MSI packages look harmless at first glance and are often disguised as legitimate software installers or updates, making it easier for attackers to trick users and bypass basic security checks.

Once a user runs the file, the downloader silently installs itself and prepares the infected host for the next stage of the attack.

Zscaler ThreatLabz researchers noted that Matanbuchus has been continuously changing several of its internal components to evade antivirus and machine learning-based security tools.

By frequently modifying key parts of the downloader, including its code structure and behavioral patterns, the operators reduce the chances of being flagged by static signatures or behavior-based rules.

This constant evolution means that some recent samples have shown zero detections on popular scanning platforms at the time of discovery.

In ongoing campaigns, the Matanbuchus operators use MSI-based loaders to reach out to their command-and-control (C2) server and retrieve updated payloads.

One of the known C2 endpoints linked to this activity is hosted at hxxps://nady[.]io/check/robot.aspx, which acts as a control hub for delivering further stages of the attack.

Once communication is established, Matanbuchus can download additional malware, move laterally, or prepare the environment for ransomware deployment, depending on the attacker’s goals.

Focus on Detection Evasion and Component Changes

A key factor that makes this Matanbuchus wave dangerous is its aggressive focus on detection evasion. Instead of relying on a fixed codebase, the actors regularly tweak loader components, configuration formats, and obfuscation layers.

These changes are subtle enough to preserve functionality while altering the malware’s footprint, helping it slip past antivirus engines and some machine learning models that depend on known patterns and features.

Zscaler ThreatLabz analysts identified that the malware’s use of altered MSI structures and updated downloader logic is central to this strategy.

By constantly rotating elements such as strings, encryption routines, and network indicators, Matanbuchus minimizes reuse of artifacts that defenders typically track.

This approach forces security teams to look beyond simple indicators and focus on higher-level behaviors, such as unusual MSI execution patterns, suspicious outbound connections, and post-installation process activity.

Defenders who rely only on static IOCs risk missing newer samples that share very little overlap with older versions.

As Matanbuchus continues to adapt, organizations must harden defenses around script execution, installer handling, and outbound network traffic.

Security teams should pay special attention to MSI-based installation events that spawn unexpected processes or initiate external connections soon after execution.

Combining behavioral monitoring with threat intelligence can help close the visibility gap and reduce the window of opportunity for attackers using Matanbuchus and similar modular downloaders.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.