EXECUTIVE SUMMARY
Threat actors, impersonating help-desk staff, are using external Microsoft Teams chats to trick victims into deploying a sophisticated malware tool known as ModeloRAT, which is designed to survive disruption and maintain a persistent foothold on compromised systems. This financially motivated initial access broker, KongTuke, has been active since at least April 2026, and its new approach marks a significant shift in tactics, as it now uses a collaboration platform for initial access, rather than relying on web-based lures. The goal of this attack is to gain a durable foothold on compromised systems, allowing the attackers to capture sensitive data, screenshots, and exfiltrate files on operator command.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Threat actors, impersonating help-desk staff, are using external Microsoft Teams chats to trick victims into deploying a sophisticated malware tool known as ModeloRAT, which is designed to survive disruption and maintain a persistent foothold on compromised systems. This financially motivated initial access broker, KongTuke, has been active since at least April 2026, and its new approach marks a significant shift in tactics, as it now uses a collaboration platform for initial access, rather than relying on web-based lures. The goal of this attack is to gain a durable foothold on compromised systems, allowing the attackers to capture sensitive data, screenshots, and exfiltrate files on operator command.[emaillocker id="1283"]
The malware infects systems through a PowerShell command pasted into a Teams chat, which rapidly profiles the host and profiles the host before the operator types a single command. The reconnaissance collector launches hidden PowerShell to gather host and user information, including systeminfo, whoami /all, domain and group details, and Lightweight Directory Access Protocol (LDAP) enumeration using adsisearcher. The collector then writes the results to configA.json, which is then handed off to the implant that runs the operation. The primary implant, Pmanager.py, beacons over RC4- and zlib-protected HTTP, rotating through five hardcoded C2 servers and fails over automatically when one is blocked. The implant also accepts a self-update command, allowing the attacker to push a new build to compromised targets mid-campaign.
This threat is significant for organisations because it demonstrates a new level of sophistication and persistence, making it difficult to detect and recover from. The malware's ability to survive disruption and maintain a persistent foothold on compromised systems means that organisations need to take immediate action to prevent the spread of this threat. To counter KongTuke, organisations should restrict external Teams federation to a trusted organisation allowlist and hunt for portable Python under %APPDATA%\Roaming\WPy64-* . Additionally, organisations should audit all four persistence triggers before returning a host to production, as the malware spreads persistence across the Run key, the Startup folder shortcut, and the VBScript launcher in %APPDATA%\WPy64-31401\python\, as well as a SYSTEM-level scheduled task with an AppData- or ProgramData-style name.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.003 | Phishing | Spearphishing via Service |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.006 | Command and Scripting Interpreter | Python |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Persistence | T1547.009 | Boot or Logon Autostart Execution | Shortcut Modification |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1036.001 | Masquerading | Invalid Code Signature |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
reports contain further technical details:
https://reliaquest.com/blog/threat-spotlight-help-desk-lures-drop-kongtukes-evolved-modelorat/