Malware-as-a-Service (MaaS) spreading on Microsoft Teams!

SCWorld.com reported that “Phishing via Microsoft Teams is being used to spread a new version of the Matanbuchus malware loader, Morphisec reported Wednesday. Matanbuchus 3.0 is a complete rewrite of the original Matanbuchus malware-as-a-service (MaaS) that has been available since 2021, according to an advertisement for loader found on a cybercrime forum on July 7, 2025.”  The July 16 2025 article entitled “Microsoft Teams phishing spreads updated Matanbuchus malware loader” (https://www.scworld.com/news/microsoft-teams-phishing-spreads-updated-matanbuchus-malware-loader) included these comments:

Morphisec observed this newer version even prior to the publication of the advertisement, suggesting it was already circulating among trusted cybercriminal circles for some time. In one July 2025 case, a Morphisec customer was subjected to phishing via a Teams call, leading to Matanbuchus infection.

The new version of Matanbuchus supports EXE, DLL, MSI and Shellcode for next stage execution. It also supports WQL queries, direct commands (CMD) and PowerShell reverse shells. The malware uses msiexec process hollowing for stealthy MSI execution.

While Morphisec did not identify a specific ransomware attack tied to this new loader, it emphasizes that its improved stealthy, communication methods and execution support could set the stage for subsequent ransomware deployment.

Very bad news! What do you think?