Back to news
Hackers hijack Microsoft Teams to spread malware to certain firms - find out if you're at risk
@Source: techradar.com
Skip to main content
Tech Radar Pro
Tech Radar Gaming
Tech Radar Pro
TechRadar the business technology experts
Search TechRadar
View Profile
België (Nederlands)
Deutschland
North America
US (English)
Australasia
New Zealand
Expert Insights
Website builders
Web hosting
Best web hosting
Best office chairs
Best website builder
Best antivirus
Expert Insights
Recommended reading
Fake DocuSign and Gitcode sites are tricking victims into downloading malware - here's what you need to know
Hackers are using fake Zoom apps to steal your data and your cryptowallet - here's how to stay safe
DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
Hackers are distributing a cracked password manager that steals data, deploys ransomware
SMBs are being hit by malicious productivity tools – Zoom and ChatGPT spoofed by hackers
Russia-linked hackers are attacking small businesses using fake Microsoft Entra pages
Over 80,000 Microsoft Entra ID accounts hit by password spraying attacks
Hackers hijack Microsoft Teams to spread malware to certain firms - find out if you're at risk
Sead Fadilpašić
17 July 2025
Victims are carefully picked
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
(Image credit: Getty Images)
Researchers from Morphisec spotted Matanbuchus 3.0 in the wild
The malware serves as a loader for Cobalt Strike or ransomware
The victims are approached via Teams and asked for remote acccess
Security researchers are warning about an ongoing campaign leveraging Microsoft Teams calls to deploy a piece of malware called Matanbuchus 3.0.
As per cybersec outfit Morphisec, an unidentified hacking group first carefully picks its victims, and then reaches out via Microsoft Teams, posing as an external IT team.
They try to persuade the victim that they have a problem with their device and that they need to grant remote access in order to fix the issue. Since the victims are cherry-picked, there is a higher chance of success.
You may like
Fake DocuSign and Gitcode sites are tricking victims into downloading malware - here's what you need to know
Hackers are using fake Zoom apps to steal your data and your cryptowallet - here's how to stay safe
DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
The protection you need against today’s evolving cyberthreats
Today’s cyberthreats are more sophisticated and scams are harder to detect. That’s why we made our all-in-one security more powerful to keep you safer online. Norton 360 now with Genie AI-powered scam detection. Advanced tech for advanced threats starting at $29.99 the first year.
Preferred partner (What does this mean?)
Expensive malware-as-a-service
Once the access is granted, usually through Quick Assist, the attackers execute a PowerShell script that deploys Matanbuchus 3.0, a malware loader that can lead to Cobalt Strike beacons, or even ransomware.
"Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive," Morphisec CTO Michael Gorelik said. "This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader."
This malware was first spotted in 2021, The Hacker News reports, where cybercriminals advertised it on Russian-speaking forums for $2,500. Since then, the malware has evolved to include new features, better communication, more stealth, CMD and PowerShell support, and more. It also apparently costs more, now having a monthly service price of $10,000 for the HTTPS version and $15,000 for the DNS version.
While the researchers do not identify the attackers, they did say that similar social engineering tactics were used in the past by a group called Black Basta to deploy ransomware.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
In the past, Black Basta was one of the most dangerous ransomware operations in existence, but has since then slowly phased out. In late February this year, a cybercriminal released chat logs that detailed the inner workings of the group.
Via The Hacker News
You might also like
Top ransomware gang's internal chat logs leaked online
Take a look at our guide to the best authenticator app
We've rounded up the best password managers
Sead Fadilpašić
Social Links Navigation
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.
Fake DocuSign and Gitcode sites are tricking victims into downloading malware - here's what you need to know
Hackers are using fake Zoom apps to steal your data and your cryptowallet - here's how to stay safe
DragonForce ransomware hacks SimpleHelp RMM tool to attack MSPs
Hackers are distributing a cracked password manager that steals data, deploys ransomware
SMBs are being hit by malicious productivity tools – Zoom and ChatGPT spoofed by hackers
Russia-linked hackers are attacking small businesses using fake Microsoft Entra pages
Latest in Security
Europol says it disrupted a major pro-Russian DDoS crime gang
Data of all 6.5 million Co-op members stolen - CEO says she is 'incredibly sorry'
US Army soldier pleads guilty to hacking telcos, extortion, wire fraud, identity theft
Trump's "One Big Beautiful Bill" set to award $1 billion funding to "offensive cyber operations"
NSA says Volt Typhoon was ‘not successful’ at persisting in critical infrastructure
Faulty Shopify plugin puts hundreds of websites at risk of invasive attacks - find out how to stay safe
Latest in News
Sega confirms the launch of the physical Nintendo Switch 2 version of Sonic Racing: CrossWorlds in 'early 2026' – and it seemingly won't use the controversial game-key card system
Microsoft abandons change to Windows 11 taskbar as testers hated it - but I didn't, and it's baffling why there wasn't a compromise
Ballard season 2 would have a ‘very exciting’ arc says Maggie Q – but the Bosch spin-off might not return, despite being Prime Video’s #1 show
Donkey Kong Bananza doesn't offer one of the Nintendo Switch 2's promised features
Europol says it disrupted a major pro-Russian DDoS crime gang
These cheap new noise-cancelling headphones have the style of the Sonos Ace for a fraction of the price – but you can still get Sonos' originals for an amazing discount right now, too!
LATEST ARTICLES
Donkey Kong Bananza doesn't offer one of the Nintendo Switch 2's promised features
These cheap new noise-cancelling headphones have the style of the Sonos Ace for a fraction of the price – but you can still get Sonos' originals for an amazing discount right now, too!
Microsoft abandons change to Windows 11 taskbar as testers hated it - but I didn't, and it's baffling why there wasn't a compromise
Sega confirms the launch of the physical Nintendo Switch 2 version of Sonic Racing: CrossWorlds in 'early 2026' – and it seemingly won't use the controversial game-key card system
The Google Pixel Watch 4 is rumored to sport a bigger battery – but I'm hoping it's not just for a brighter screen and on-device AI
TechRadar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
Contact Future's experts
Terms and conditions
Privacy policy
Cookies policy
Advertise with us
Web notifications
Accessibility Statement
Future US, Inc. Full 7th Floor, 130 West 42nd Street,
Please login or signup to comment
Please wait...
Related News
17 Jul, 2025
What Keeps Nagarjuna Super Fit at 65? De . . .
17 May, 2025
Sevilla FC to play friendly match agains . . .
06 Jul, 2025
India vs England Weather Updates of 2nd . . .
07 Jul, 2025
Dilip Vengsarkar On Edgbaston Triumph: ' . . .
22 May, 2025
NFL fans divided after vote to ban ‘tush . . .
21 Jul, 2025
LA Mayor Bass Avoids Answering If All Un . . .
27 Jun, 2025
Film Academy invites Ariana Grande, Kier . . .
13 Feb, 2025
$50m IFC investment shows global confide . . .