Blog

Don’t Answer That Teams Call: It Could Be Malware

by | Aug 5, 2025 | IT Department, malware, Matanbuchus 3.0, Microsoft Teams, Ophtek

 

Hackers are using Microsoft Teams voice calls to pose as IT support and trick users into installing malware which takes over their system.

Since the pandemic, Microsoft Teams has become the number one communication tool for many workplaces. Unfortunately, cybercriminals have found a new way to exploit this popularity. Security experts have discovered a campaign where threat actors make fake voice calls through Teams. Posing as IT helpdesk staff, the attackers quickly gain the users trust and convince them to grant remote access with the Windows Quick Assist tool. Once access is gained, the hackers quickly install the Matanbuchus 3.0 malware.

With 8 million US organizations using Teams in their workplace, it’s likely that your IT systems could be at risk. Luckily, Ophtek is here to give you some guidance on how to stay safe.

Breaking Down the Attack

We’ve covered plenty of phishing email scams in the past, but the Matanbuchus 3.0 attack brings something new to the table. A fully interactive attack, it plays on a sense of urgency and backs this up with a level of authority due to the apparent involvement of tech support. The attack starts when the threat actors contact users through Microsoft Teams. To make the approach more believable, the attackers use voice calls to enhance legitimacy. They quickly introduce themselves as members of an IT department, often using names tailored to the business they’re targeting.

After establishing a connection with the victim, the fake IT support agent asks that they open the Quick Assist app. This in-built Windows is legitimate and often used for IT teams to connect remotely to PCs. But this particular IT support agent is far from trustworthy. Accordingly, they talk the user through downloading what they claim is a system update. However, this system update is actually malware which is merely disguised as an update. 

And this malware is very powerful. Matanbuchus 3.0 was originally sold on the dark web for around $2,500, but it’s now part of a malware-as-a-service (MaaS) setup. Monthly subscriptions to this MaaS can cost as much as $15,000, making it highly profitable to the people behind it. This latest version of Matanbuchus is highly advanced and can encrypt its traffic, operate directly in a system’s memory to leave no traces, and even evaluates security software before making its next move.

With Matanbuchus installed, the threat actors suddenly have a gateway into the organization, allowing them to download further malware and system tools. Silently working in the background, Matanbuchus can steal valuable data and take control of your network.

Simple Ways to Protect Your System

 

The Matanbuchus 3.0 attack is deceptive, but relatively simple to defend against. All you need to do is practice the following:

  • Always Verify: If someone contacts you unexpectedly claiming to be from IT, you should immediately be suspicious. Don’t be afraid to hang up instantly and, instead, contact your IT department through official channels.
  • Limit Remote Access Tool Usage: There’s little need for most of your employees to have access to remote access tools like Quick Assist or TeamViewer. Where possible, restrict access to these tools and make sure that your employees are aware they should only be used with trusted sources.
  • Identify Social Engineering Tactics: The simplest way to protect your IT infrastructure from this and similar attacks is to understand social engineering tactics. Even a basic understanding of these techniques could easily prevent one of your employees from falling victim.

For more ways to secure and optimize your business technology, contact your local IT professionals.

 

You May Also Like:

Microsoft Teams and the Black Basta Malware Threat Microsoft Teams at Risk of Letting Malware In  DarkGate and NetSupport Malware is Surging  Bumblebee Malware Gives a Nasty Sting Through Google Ads