Threat researchers have discovered a new phishing campaign delivering Matanbuchus malware to drop Cobalt Strike beacons on compromised machines. Cobalt Strike is frequently used by threat actors for lateral movement and to drop additional payloads. Matanbuchus was first seen by researchers in February 2021 when it was advertised on dark web markets as a loader that launches executables directly into system memory. This new phishing campaign attempts to trick users by putting “RE:” in the subject line to make individuals feel it is from a conversation they’ve already engaged in. The emails have a ZIP attachment with an HTML file that eventually extracts an MSI package digitally signed with a valid certificate issued by DigiCert for “Westeast Tech Consulting, Corp.” In the background, two Matanbuchus payloads are dropped in two different locations, a scheduled task is created to maintain persistence across system reboots, and a Cobalt Strike payload is loaded from the Command and Control (C2) server. From there, the threat actor can perform other post-exploitation attacks.