In March 2024, a mid-sized investment advisory firm faced a rapidly escalating cybersecurity incident when numerous employees reported unusual system slowdowns and unexpected pop-ups shortly after conducting online searches related to financial recovery services. The common thread across these reports pointed to users clicking on what appeared to be legitimate sponsored links offering help with locating unclaimed funds. These deceptive links redirected victims to a malicious domain—treasurybanks.org—which was carefully crafted to impersonate a government-affiliated financial aid platform. Underneath this façade, however, lay a sophisticated malware delivery campaign leveraging modern threat techniques and cloud infrastructure abuse.
The lab, titled MBuchus, simulates this real-world attack scenario and challenges analysts to unravel the full extent of the threat. Using a combination of open-source intelligence (OSINT), threat research platforms like VirusTotal, AlienVault OTX, and crt.sh, participants are tasked with identifying how initial access was gained, what payloads were delivered, and how attacker infrastructure—spanning TLS certificates, hosting providers, and domain registrations—enabled the broader operation. At the heart of the campaign is Matanbuchus, a malware loader delivered via a ZIP archive downloaded from the spoofed website. Once executed, it downloaded additional malware, including DanaBot, a notorious banking trojan.
This lab highlights the intersection of social engineering, malvertising, and malware-as-a-service (MaaS) e