Threat Profile
Family
Matanbuchus (Downloader/Loader-as-a-Service).
Delivery Vector
Social Engineering via fake software updates/installers packed as .msi files.
Capabilities
Retrieval of secondary payloads (Ransomware), Lateral Movement, Environment Preparation.
MITRE ATT&CK Mapping
Defense Evasion (T1027)
Obfuscation of internal components and logic to break static signatures.
Defense Evasion (T1218.007)
Abuse of msiexec.exe to proxy execution of malicious payloads via MSI files.
Command and Control (T1071.001)
Web traffic to C2 infrastructure.
Live Evidence Extraction (IOCs)
Caution: These indicators are active as of Jan 29, 2026.
Network (C2) hxxps://nady[.]io/check/robot.aspx.
File Type
Microsoft Installer (.msi) exhibiting high entropy or unusual internal structures.
Remediation - THE ENTERPRISE TRACK (SANS PICERL)
Phase 1: Identification & Containment
Network Block
Immediately blacklist the domain nady[.]io and the specific URL path /check/robot.aspx at the perimeter firewall and web gateway.
Process Containment
Isolate endpoints exhibiting msiexec.exe spawning unexpected child processes or initiating outbound network connections to unknown IPs.
Hunt Query
Search SIEM/EDR for MSI execution events where the source file is located in temporary user directories (e.g., %TEMP%, Downloads) combined with low-prevalence hash values.
Phase 2: Eradication
Artifact Removal
Delete the malicious .msi installers identified by hash or C2 communication.
Persistence Check
Inspect scheduled tasks and registry run keys created shortly after the MSI execution timestamp, as Matanbuchus may establish persistence for secondary payloads.
Phase 3: Recovery
Re-image
Due to the potential for ransomware deployment, infected hosts should be considered compromised at the root level and re-imaged.
Validation
Verify endpoint protection signatures are updated to detect the behavioral pattern of "mutable MSI" execution rather than just static hashes.
Phase 4: Lessons Learned
Policy Update
Restrict MSI execution. Enforce AppLocker or WDAC policies to allow .msi execution only from signed, trusted directories or publishers.
Remediation - THE HOME USER TRACK
Priority 1: Safety (Disconnection & Scan)
Disconnect the device from the internet immediately to prevent the download of the secondary ransomware payload.
Run a full
offline scan using a reputable non-signature-based (heuristic) antivirus solution, as static signatures may fail.
Priority 2: Clean Up
Manually locate and delete any recently downloaded "installers" or "updates" (check your
Downloads folder) that match the .msi file type, especially those downloaded on or around Jan 29, 2026.
Priority 3: Persistence
Check installed programs (Control Panel) for suspicious applications installed recently. Matanbuchus may appear as a generic or "random" named application.
Hardening & References
Baseline
CIS Benchmark for Windows 10/11 (Section 18.9: Application Control) – Restrict Windows Installer behavior.
Strategy
NIST SP 800-160 Vol. 2 (Cyber Resilient Systems) – Focus on behavioral anomaly detection over static prevention.
Tactical
SANS Hunt Evil – Look for msiexec.exe making direct network connections (rare behavior for legitimate installs).
Sources
Cyber Security News
Zscaler ThreatLabz
cybersecuritynews.com
