← All articles

Initial access broker KongTuke pivots from web lures to Microsoft Teams - impersonates IT help desk, drops ModeloRAT in five minutes

ReliaQuest researchers say initial access broker KongTuke has shifted from web-based ClickFix and FileFix lures to Microsoft Teams social engineering, taking as little as five minutes to gain persistent access. The attacker reaches employees from one of five rotating Microsoft 365 tenants, uses Unicode whitespace tricks to make the display name look like internal IT help desk, then talks the victim through pasting a PowerShell command. That command downloads a ZIP from Dropbox containing a portable WinPython runtime and a Python-based RAT called ModeloRAT. The new ModeloRAT variant adds a five-server C2 pool with automatic failover, self-update, and randomized URL paths, and several major EDR products did not detect it.

Check
Search Microsoft 365 audit logs for inbound external Teams chats from new or low-trust tenants, hunt endpoint telemetry for pythonw.exe running from %APPDATA%\WPy64-31401 (or similar WinPython paths), and review PowerShell logs for clipboard-paste-driven commands.
Affected
Any enterprise that accepts inbound Microsoft Teams chats and calls from external tenants, especially help-desk-themed approaches. Initial access broker activity is typically resold to ransomware operators within days of compromise.
Fix
Restrict external Teams chat to allowlisted partners, enforce verified caller display in Teams admin, train staff that real IT never asks for a PowerShell paste, and add EDR rules for portable Python interpreters spawning from %APPDATA%.