Skip to main content Tech Radar Pro Tech Radar Gaming Tech Radar Pro TechRadar the business technology experts Search TechRadar View Profile België (Nederlands) Deutschland North America US (English) Australasia New Zealand Expert Insights Website builders Web hosting Best web hosting Best office chairs Best website builder Best antivirus Expert Insights Recommended reading Fake DocuSign and Gitcode sites are tricking victims into downloading malware - here's what you need to know Hackers are using fake Zoom apps to steal your data and your cryptowallet - here's how to stay safe DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs Hackers are distributing a cracked password manager that steals data, deploys ransomware SMBs are being hit by malicious productivity tools – Zoom and ChatGPT spoofed by hackers Russia-linked hackers are attacking small businesses using fake Microsoft Entra pages Over 80,000 Microsoft Entra ID accounts hit by password spraying attacks Hackers hijack Microsoft Teams to spread malware to certain firms - find out if you're at risk Sead Fadilpašić 17 July 2025 Victims are carefully picked When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. (Image credit: Getty Images) Researchers from Morphisec spotted Matanbuchus 3.0 in the wild The malware serves as a loader for Cobalt Strike or ransomware The victims are approached via Teams and asked for remote acccess Security researchers are warning about an ongoing campaign leveraging Microsoft Teams calls to deploy a piece of malware called Matanbuchus 3.0. As per cybersec outfit Morphisec, an unidentified hacking group first carefully picks its victims, and then reaches out via Microsoft Teams, posing as an external IT team. They try to persuade the victim that they have a problem with their device and that they need to grant remote access in order to fix the issue. Since the victims are cherry-picked, there is a higher chance of success. You may like Fake DocuSign and Gitcode sites are tricking victims into downloading malware - here's what you need to know Hackers are using fake Zoom apps to steal your data and your cryptowallet - here's how to stay safe DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs The protection you need against today’s evolving cyberthreats Today’s cyberthreats are more sophisticated and scams are harder to detect. That’s why we made our all-in-one security more powerful to keep you safer online. Norton 360 now with Genie AI-powered scam detection. Advanced tech for advanced threats starting at $29.99 the first year. Preferred partner (What does this mean?) Expensive malware-as-a-service Once the access is granted, usually through Quick Assist, the attackers execute a PowerShell script that deploys Matanbuchus 3.0, a malware loader that can lead to Cobalt Strike beacons, or even ransomware. "Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive," Morphisec CTO Michael Gorelik said. "This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader." This malware was first spotted in 2021, The Hacker News reports, where cybercriminals advertised it on Russian-speaking forums for $2,500. Since then, the malware has evolved to include new features, better communication, more stealth, CMD and PowerShell support, and more. It also apparently costs more, now having a monthly service price of $10,000 for the HTTPS version and $15,000 for the DNS version. While the researchers do not identify the attackers, they did say that similar social engineering tactics were used in the past by a group called Black Basta to deploy ransomware. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. In the past, Black Basta was one of the most dangerous ransomware operations in existence, but has since then slowly phased out. In late February this year, a cybercriminal released chat logs that detailed the inner workings of the group. Via The Hacker News You might also like Top ransomware gang's internal chat logs leaked online Take a look at our guide to the best authenticator app We've rounded up the best password managers Sead Fadilpašić Social Links Navigation Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications. You must confirm your public display name before commenting Please logout and then login again, you will then be prompted to enter your display name. Fake DocuSign and Gitcode sites are tricking victims into downloading malware - here's what you need to know Hackers are using fake Zoom apps to steal your data and your cryptowallet - here's how to stay safe DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs Hackers are distributing a cracked password manager that steals data, deploys ransomware SMBs are being hit by malicious productivity tools – Zoom and ChatGPT spoofed by hackers Russia-linked hackers are attacking small businesses using fake Microsoft Entra pages Latest in Security Europol says it disrupted a major pro-Russian DDoS crime gang Data of all 6.5 million Co-op members stolen - CEO says she is 'incredibly sorry' US Army soldier pleads guilty to hacking telcos, extortion, wire fraud, identity theft Trump's "One Big Beautiful Bill" set to award $1 billion funding to "offensive cyber operations" NSA says Volt Typhoon was ‘not successful’ at persisting in critical infrastructure Faulty Shopify plugin puts hundreds of websites at risk of invasive attacks - find out how to stay safe Latest in News Sega confirms the launch of the physical Nintendo Switch 2 version of Sonic Racing: CrossWorlds in 'early 2026' – and it seemingly won't use the controversial game-key card system Microsoft abandons change to Windows 11 taskbar as testers hated it - but I didn't, and it's baffling why there wasn't a compromise Ballard season 2 would have a ‘very exciting’ arc says Maggie Q – but the Bosch spin-off might not return, despite being Prime Video’s #1 show Donkey Kong Bananza doesn't offer one of the Nintendo Switch 2's promised features Europol says it disrupted a major pro-Russian DDoS crime gang These cheap new noise-cancelling headphones have the style of the Sonos Ace for a fraction of the price – but you can still get Sonos' originals for an amazing discount right now, too! LATEST ARTICLES Donkey Kong Bananza doesn't offer one of the Nintendo Switch 2's promised features These cheap new noise-cancelling headphones have the style of the Sonos Ace for a fraction of the price – but you can still get Sonos' originals for an amazing discount right now, too! Microsoft abandons change to Windows 11 taskbar as testers hated it - but I didn't, and it's baffling why there wasn't a compromise Sega confirms the launch of the physical Nintendo Switch 2 version of Sonic Racing: CrossWorlds in 'early 2026' – and it seemingly won't use the controversial game-key card system The Google Pixel Watch 4 is rumored to sport a bigger battery – but I'm hoping it's not just for a brighter screen and on-device AI TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site. Contact Future's experts Terms and conditions Privacy policy Cookies policy Advertise with us Web notifications Accessibility Statement Future US, Inc. Full 7th Floor, 130 West 42nd Street, Please login or signup to comment Please wait...