--- title: "Cybercrime’s Latest: Matanbuchus Employed in Phishing Campaign to Infect Devices with Cobalt Strike | Phish Protection" description: "There is a new phishing spam campaign making headlines in the cybersecurity world that delivers malware onto compromised machines." image: "https://phishprotection.com/og/blog/cybercrimes-latest-matanbuchus-employed-phishing-campaign-infect-devices-cobalt-strike.png" canonical: "https://phishprotection.com/blog/cybercrimes-latest-matanbuchus-employed-phishing-campaign-infect-devices-cobalt-strike/" --- Quick Answer There is a new phishing spam campaign making headlines in the cybersecurity world that delivers malware onto \*\*compromised machines\*\*. The \[malware\](/content/protection-against-malware/types-of-malware) is initiated by a phishing attack and delivered by "Matanbuchus," specially designed to deliver DLL payloads, launch malicious PowerShell commands, and persist via additional task schedules. Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybercrimes-latest-matanbuchus-employed-phishing-campaign-infect-devices-cobalt-strike%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Cybercrime%26%238217%3Bs%20Latest%3A%20Matanbuchus%20Employed%20in%20Phishing%20Campaign%20to%20Infect%20Devices%20with%20Cobalt%20Strike&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybercrimes-latest-matanbuchus-employed-phishing-campaign-infect-devices-cobalt-strike%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybercrimes-latest-matanbuchus-employed-phishing-campaign-infect-devices-cobalt-strike%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybercrimes-latest-matanbuchus-employed-phishing-campaign-infect-devices-cobalt-strike%2F&title=Cybercrime%26%238217%3Bs%20Latest%3A%20Matanbuchus%20Employed%20in%20Phishing%20Campaign%20to%20Infect%20Devices%20with%20Cobalt%20Strike "Share on Reddit") [ ](mailto:?subject=Cybercrime%26%238217%3Bs%20Latest%3A%20Matanbuchus%20Employed%20in%20Phishing%20Campaign%20to%20Infect%20Devices%20with%20Cobalt%20Strike&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Fcybercrimes-latest-matanbuchus-employed-phishing-campaign-infect-devices-cobalt-strike%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/06/phishing-prevention-tips-2132.jpg) There is a new phishing spam campaign making headlines in the cybersecurity world that delivers malware onto **compromised machines**. The [malware](/content/protection-against-malware/types-of-malware) is initiated by a phishing attack and delivered by “Matanbuchus,” specially designed to deliver DLL payloads, launch malicious PowerShell commands, and persist via additional task schedules. The attack is **highly sophisticated** and makes use of malicious MSI installer files leading to an Adobe Acrobat installer running a beacon for [Cobalt Strike](https://cybernews.com/editorial/cobalt-strike-pentesting-tools-cybercriminals/) in the background. The following sections delve deeper into how the latest malware attack takes place. ### How Does the Latest Cobalt Strike Attack Occur? The phishing campaign is **still happening** and needs careful attention. You can protect yourself from the malspam campaign by understanding how it works. The campaign’s centerpiece is an **email** that poses as a reply to a previous email and hence bears the prefix, “Re:” These emails also contain a [ZIP file](https://www.techradar.com/news/zip-files-are-being-used-to-bypass-security-gateways) with an HTML (Hyper Text Markup Language) file, which in turn downloads another ZIP archive. When you open the HTML document, it resembles a **fake Microsoft OneDrive page** and downloads a ZIP file for an MSI package. The ZIP file extracts an MSI package for one “Westeast Tech Consulting, Corp.” and is also digitally signed by DigiCert. Once you run the MSI installer, it initiates a setup for Adobe Acrobat, updating the Adobe Acrobat font catalog that will ultimately **end with an error**, misdirecting the device’s owner from what is really happening. The **background activity** is hiding two [malicious](/resources/phishing-attacks-and-content-protection/) Matanbuchus DLL payloads. These “main.dll” payloads are dropped in separate locations, and a scheduled task creates a persistence of **system reboots**. In addition, a connection with the C2 (Command and Control) server is established. Matanbuchus loads a payload from the C2 server, initiating the Cobalt Strike, and paving the way for **wider system exploitation** and attacks. \*\* \*\* ![Phishing prevention tips](https://media.mailhop.org/phishprotection/images/2022/06/phishing-prevention-tips-2132.jpg) ### The Latest Cobalt Strike Phishing Campaign Report The Matanbuchus campaign used to deliver the Cobalt Strike was reported on May 23, 2022 , by DCSO. The Deutsche Cyber-Sicherheits Organization is a German cybersecurity [organization](https://www.insurancebusinessmag.com/us/news/breaking-news/no-organization--big-or-small--is-free-from-the-threat-of-cyberattack-438499.aspx) based in Berlin. DSCO reported how they analyzed a sample found on VirusTotal and discovered the Matanbuchus campaign where both Cobalt Strike and **Qakbot** were delivered to their devices. The attack followed the **same structure**, an MSI file bearing a valid DigiCert signature. However, in their case, the certificate was issued to “Advanced Access Services LTD” with a signing date of April 26, 2022\. You can read in detail about the findings of DSCO’s report[here](https://medium.com/@DCSO%5FCyTec/a-deal-with-the-devil-analysis-of-a-recent-matanbuchus-sample-3ce991951d6a). ### What are Matanbuchus and Cobalt Strike, and Why are They a Cause of Concern? **Matanbuchus**is a [Malware-as-a-Service (MaaS)](https://www.tripwire.com/state-of-security/what-malware-service-maas#:~:text=Malware%20as%20a%20Service%20is,support%20by%20the%20MaaS%20owners.) model used in the Cobalt Strike delivery campaign. The Matanbuchus Loader model became available on the dark web in February 2021, advertised by BelialDemon for a rental price of $2500. Matanbuchus is infamous for its ability to **drop second-stage malware** using Command and Control servers. Cybercriminals can use it to launch .exe or .dll files, leverage schtasks.exe for modifying task schedules, and launch PowerShell commands. A**cobalt strike**, on the other hand, is a penetration product. Used by [white hat hackers](https://www.techtarget.com/searchsecurity/definition/white-hat) and software testers, cobalt strike allows you to deploy **beacons** on any machine, allowing various functionality. Cybercriminals widely employ Cobalt Strike due to its stable nature and high customizability. In the case of the current Matanbuchus phishing campaign, the cobalt strike attack will enable [cybercriminals](/phishing/cybercriminals-are-duping-millions-of-accounts-in-the-latest-facebook-phishing-campaign) to harm your devices in a variety of ways, including: - **_Command Executions:_**The threat actor can execute commands on your device and change your **device’s settings**. - **_Key Logging:_**The threat actor can also use cobalt strike to log keys, i.e., **monitor all keystrokes** to eavesdrop on what you are typing on your device. - **File Transfer:**The threat actor can also transfer confidential and personal files, documents, and more. - **_Privilege Escalation:_**The [threat actor](/phishing-awareness/threat-actors-breach-reddit-and-access-internal-documents-code-and-business-systems) can also escalate their privileges on your home or organization’s network, gaining entrance into the secure perimeter and causing wider harm. \*\* \*\* ### How to Keep Safe From the Cobalt Strike Campaign? By avoiding them, you can easily keep yourself safe from the Matanbuchus and Cobalt Strike attacks. You can only achieve their avoidance by familiarizing yourself with how the attack occurs. Here are a few **giveaways** you can look out for: - **_ZIP file attachments:_**The campaign relies on emails posing as replies and bears the “Re.” in the subject. Furthermore, the email carries a ZIP attachment that extracts itself as an [HTML file](https://www.financialexpress.com/life/technology-phishing-attack-html-files-can-be-malicious-too-2585504/). If you come across a **similar combination**, you should half there as you might be heading right into the attack campaign. - **_Fake OneDrive Page:_**If, by any chance, you open the HTML page, it is easily recognizable as a fake as it disguises itself as a OneDrive page that downloads an **MSI package** on your device. - **_DigiCert Certificate:_**All the MSI files in the campaign have been issued a [digital certificate](https://www.okta.com/identity-101/digital-certificate/) by DigiCert that can be checked via the MSI file’s properties. The organization for which the certificate has been issued might be different but is signed by DigiCert only. If you come across any of the above warning signs, you should **stop further interaction** with the files as you might be a victim of the latest Matanbuchus cobalt strike phishing attack campaign. Furthermore, having a sandbox to run files safely and an anti-virus product can prove significantly helpful as these can detect most malware and hidden downloads. The **latest** Matanbuchus malspam campaign has also been noted by threat analyst Brad Duncan. You can view his take on the[cobalt strike malspam campaign here](https://isc.sans.edu/forums/diary/Malspam+pushes+Matanbuchus+malware+leads+to+Cobalt+Strike/28752/). ![Phishing attack prevention](https://media.mailhop.org/phishprotection/images/2022/06/phishing-attack-prevention-2971.jpg) ### Final Words [Cybersecurity](/content/cybersecurity-in-a-nutshell) is a great cause of concern these days for organizations and individuals alike. With the **advancements** in security, threat actors are also adamant about using advanced tools and methods for malicious purposes. The latest malspam campaign is not to be taken lightly. The Matanbuchus campaign is currently ongoing and can affect your devices to cause all kinds of trouble. There has not been any official direction or recognition of the attacker behind the campaign, so it would be best to take [phishing protection](/) measures and avoid emails and files resembling the attack’s pattern altogether. ## Topics [ Phishing ](/tags/phishing/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Foundational 5m 0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[ Foundational 4m 13 Spear Phishing Attacks Examples To Justify Investment For Phishing Prevention Solutions In Your Organization Aug 1, 2019 ](/blog/13-spear-phishing-attacks-examples-to-justify-investment-for-phishing-prevention-solutions-in-your-organization/)[ Foundational 4m All 14 centers of Kettering Health were affected by a massive ransomware attack, Major outage in the Ohio medical center May 23, 2025 ](/blog/14-centers-of-kettering-health-were-affected-by-massive-ransomware-attack-in-ohio-medical-center/)[ Foundational 4m 2021 Phishing Trends You Need To Be Wary Of Aug 2, 2021 ](/blog/2021-phishing-trends-to-be-wary-of/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"Cybercrime’s Latest: Matanbuchus Employed in Phishing Campaign to Infect Devices with Cobalt Strike","description":"There is a new phishing spam campaign making headlines in the cybersecurity world that delivers malware onto compromised machines.","url":"https://phishprotection.com/blog/cybercrimes-latest-matanbuchus-employed-phishing-campaign-infect-devices-cobalt-strike/","datePublished":"2022-06-28T08:46:46.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-06-28T08:46:46.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/cybercrimes-latest-matanbuchus-employed-phishing-campaign-infect-devices-cobalt-strike/"},"articleSection":"foundational","keywords":"Phishing","wordCount":1047,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/06/phishing-prevention-tips-2132.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"How Does the Latest Cobalt Strike Attack Occur?","acceptedAnswer":{"@type":"Answer","text":"The phishing campaign is **still happening** and needs careful attention. You can protect yourself from the malspam campaign by understanding how it works."}},{"@type":"Question","name":"What are Matanbuchus and Cobalt Strike, and Why are They a Cause of Concern?","acceptedAnswer":{"@type":"Answer","text":"**Matanbuchus**"}},{"@type":"Question","name":"How to Keep Safe From the Cobalt Strike Campaign?","acceptedAnswer":{"@type":"Answer","text":"By avoiding them, you can easily keep yourself safe from the Matanbuchus and Cobalt Strike attacks. You can only achieve their avoidance by familiarizing yourself with how the attack occurs. Here are a few **giveaways** you can look out for:"}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"Cybercrime’s Latest: Matanbuchus Employed in Phishing Campaign to Infect Devices with Cobalt Strike","item":"https://phishprotection.com/blog/cybercrimes-latest-matanbuchus-employed-phishing-campaign-infect-devices-cobalt-strike/"}]} ```