Matanbuchus Loader CTI and Malware Analysis Report

Matanbuchusis a Windows loader offered as Malware-as-a-Service. It focuses on staging and executing second-stage payloads fully in memory, uses scheduled tasks and related Windows componentsfor persistence and tasking, and can run operator supplied PowerShell, executables,DLLs, and raw shellcode. In early 2021 an underground actor using the handle “BelialDemon”began advertising the service on Russian language and Tor forums, positioning it as a premium,limited seat tool for experienced buyers. Since then Matanbuchus has appeared in email drivenand social engineering campaigns, often masquerading as legitimate installers, and it is frequently used to deploy Cobalt Strike or similar post exploitation frameworks. The offering has evolved through several versions that add DNS and HTTPS command and control options, fileless execution improvements, light reconnaissance via WMI or WQL queries, and built-in reverse shell functionality. In typical intrusions Matanbuchus operates in the pre ransomware phase, giving operators a dependable in memory stager that blends into common enterprise workflows.