Hackers Are Hijacking Microsoft Teams Calls to Install Stealth Malware

A new variant of the Matanbuchus malware loader is being deployed through a crafty new attack method: Microsoft Teams calls that impersonate IT helpdesk staff. Researchers say the approach represents a growing trend of attackers leveraging trusted enterprise tools to quietly breach networks with minimal resistance.

First advertised in early 2021 on dark web forums as a $2,500 malware-as-a-service offering, Matanbuchus was designed to execute malicious payloads directly in memory, avoiding disk-based detection. By mid-2022, it had evolved into a delivery vehicle for Cobalt Strike beacons in widespread phishing campaigns.

Now, in its 3.0 version, Matanbuchus has become stealthier and more sophisticated, according to an in-depth technical analysis by security researchers at Morphisec. The loader is now actively being distributed using Microsoft Teams, a legitimate collaboration platform, to gain initial access to victims’ machines.

In this latest campaign, attackers initiate a Teams video or voice call posing as the company’s IT department. The goal is to convince the target to launch Quick Assist, Microsoft’s built-in remote support tool. Once access is granted, the attacker guides the user through running a PowerShell script that downloads a ZIP file. That file contains three components used to sideload a malicious DLL, kicking off the Matanbuchus attack chain.

"This is a prime example of abusing user trust and enterprise tools that are already sanctioned within organizations," said Chance Caldwell, Senior Director of the Phishing Defense Center at Cofense. "In this particular case, it was Microsoft Teams and Quick Assist, but we have seen a large variety of legitimate services being used."

The abuse of Microsoft Teams for malware delivery is not entirely new. In previous incidents, attackers exploited flaws in Teams to drop malicious payloads through external chats. Lax configuration around 'External Access' has made it easy for threat actors to reach targets under the guise of trusted contacts. Last year, DarkGate malware actors used similar tactics to gain a foothold in corporate environments.

Matanbuchus 3.0 brings notable upgrades in stealth. The malware’s developers replaced the RC4 encryption method with Salsa20 for obfuscating command-and-control traffic and strings. It also includes a sandbox evasion check that runs only on specific system locales, making analysis harder for researchers.

Rather than calling traditional Windows API functions, the loader now performs direct syscalls through custom shellcode. This allows it to bypass endpoint detection and response (EDR) hooks that normally monitor API usage. Further complicating reverse engineering, the malware uses MurmurHash3 to obscure API names and identifiers.

Morphisec’s analysis highlights the malware’s versatility after infection. It can launch shellcode, run executables or DLLs, and execute PowerShell or CMD commands. It also gathers system data including usernames, OS build info, domain names, admin privileges, and running security software. The C2 server tailors follow-up actions based on this intelligence.

“The execution methods sent back from the C2 are likely dependent on the current security stack of the victim,” the researchers noted.

This behavior reflects a broader trend in the malware landscape. Attackers are increasingly using legitimate remote access tools, not just for reconnaissance but as full delivery vectors.

“Threat actors can skip creating sophisticated delivery mechanisms to gain access to your system by piggybacking off of these programs that already have access,” Caldwell added. “If your organization is using the Microsoft Quick Assist feature, we recommend disabling it across your fleet.”

Morphisec also released indicators of compromise for defenders, including malware hashes and command-and-control domains tied to this Matanbuchus wave.

The rise of malware that blends in with everyday enterprise software highlights the urgent need for better training and stricter controls. As attackers refine their social engineering and abuse of trusted tools, even a simple Teams call can become the first step in a sophisticated breach.