-
Initial access broker KongTuke now uses Microsoft Teams chats to trick employees into running malicious PowerShell commands, gaining persistent network access in under five minutes.
-
The attackers impersonate IT support staff using Unicode whitespace tricks and deploy an evolved ModeloRAT malware, including multiple backdoors, a five-server C2 pool, and SYSTEM-level scheduled tasks that survive reboots.
-
The campaign has been active since April with the threat actor rotating through five Microsoft 365 tenants, so, researchers recommend restricting external Teams federation to block these attacks.
The initial access broker known as KongTuke has adopted Microsoft Teams as a new weapon for social engineering attacks. Security researchers at ReliaQuest observed the threat actor gaining persistent footholds in corporate networks within five minutes of starting a single chat.
KongTuke typically sells network access to ransomware operators, who then deploy file-stealing and data-encrypting malware. The group previously relied solely on web-based lures called FileFix and CrashFix. This new Teams activity marks the first time researchers have seen KongTuke use a collaboration platform for initial access.
The campaign has remained active since April this year. The threat actor rotates through five different Microsoft 365 tenants to avoid blocking attempts by security teams.
Attackers impersonate IT support using Unicode tricks
Cybercriminals are impersonating IT support personnel by using Unicode tricks to masquerade as help desk or IT staff in external Microsoft Teams chat conversations. Their tactic includes modifying how their display name appears in chat rooms, which helps them to create deceptive yet believable identities.
Once the employee trusts the fake IT representative, the attacker convinces the victim to run a malicious PowerShell command on their computer, and the command downloads a ZIP archive stored on Dropbox, a legitimate file hosting service.
This tactic of tricking users into running malicious terminal commands is not limited to Teams. A Google Ads campaign recently targeted Claude users on macOS with fake downloads that led to malicious terminal commands, showing how attackers use multiple platforms to exploit macOS users.
The archive contains a portable WinPython environment that launches the Python-based malware known as ModeloRAT. The researchers noted that this particular ModeloRAT version has evolved significantly compared to previous operations seen in ClickFix attacks.
The malware collects system information and user data, captures screenshots of the victim’s activity, and can exfiltrate files directly from the host filesystem; these capabilities give the attackers full visibility into compromised networks.
Malware features a resilient architecture and multiple backdoors
The new Model RAT (ModeloRAT) has a redesigned command-and-control structure with much greater resilience than previous versions; it connects to five separate servers via randomized URL paths and with automatic failover abilities. Also, it will update itself automatically, without needing to be connected to the internet or having the user manually update the program.
In addition, the ModeloRAT has multiple, independent methods of accessing the system and remaining in control of it at all times. These include a primary remote access tool, a reverse shell, and an additional TCP backdoor. Because each method of access runs on a separate infrastructure, disrupting one method of access does not affect the other 2 methods or cut off the attackers.
The methods that the ModeloRAT uses to maintain persistence have also increased significantly; it installs itself using the following methods: Windows Run keys, Start folder shortcuts and VBScript launchers, and System-level scheduled tasks. The scheduled task for self-destruction of the implant remains intact as part of the self-destruct procedure – but it removes other persistent methods.
This scheduled task allows the malware to survive standard cleanup procedures and persist through full system reboots; the attackers designed the backdoor to stay hidden even when victims attempt to remove it.
Organizations can block attacks by restricting external chats
ReliaQuest researchers recommend that companies restrict external Microsoft Teams federation using allowlists. This configuration blocks unsolicited chat requests from unknown external domains before they ever reach employees.
These defenses are critical as threat actors become more sophisticated. A Chinese-linked espionage campaign targeting Singapore telecoms demonstrates how state-sponsored groups use advanced social engineering to breach critical infrastructure.
The same technique can also stop many other social engineering campaigns that abuse collaboration platforms. Organizations should only permit Teams chats from trusted partner domains that have a legitimate business need to communicate with internal staff.
A system administrator may utilize techniques outlined in ReliaQuest’s report to detect evidence of these attacks. This report provides various types of artifacts associated with the ModeloRAT infection chain and its command-and-control infrastructure, together with its persistence mechanisms.
The speed of the KongTuke campaign represents a significant concern for corporate security teams. A threat actor can move from an initial external message to a permanent network foothold in less time than most employees take for a coffee break. This rapid timeline leaves little opportunity for detection or intervention before damage occurs.
Security experts emphasize that employee training alone cannot stop these attacks, but technical controls that block unauthorized external communications provide the most effective defense against this emerging threat vector.
