Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: kongtuke (2 articles)Clear

Stealthy Mistic backdoor gives ransomware access broker KongTuke lasting footholds

Symantec and Zscaler detailed Mistic, a stealthy new Windows backdoor used in intrusions since April and tied to KongTuke, an initial access broker that sells footholds to ransomware crews including Qilin, Akira, and Rhysida. Mistic is side-loaded through a legitimate Microsoft executable and a malicious DLL named to mimic endpoint-security software, runs payloads only in memory with nothing written to disk, and includes a self-delete kill switch, all aimed at long-term, low-visibility access. It is delivered through social-engineering lures such as fake CAPTCHAs and Microsoft Teams help-desk pretexts that trick users into running PowerShell commands. Defenders should watch for the unusual DLL side-loading pattern.

Check
Hunt for the legitimate MpExtMs.exe process side-loading unexpected DLLs, in-memory-only payloads, and signs of paste-and-run PowerShell delivered through fake CAPTCHAs or Microsoft Teams help-desk messages.
Affected
Enterprises across insurance, education, IT, and professional services targeted by KongTuke; a quiet, in-memory backdoor establishes durable access that is later sold to ransomware affiliates for deployment.
Fix
Train users against paste-and-run and fake IT-support lures, restrict PowerShell and script execution, deploy behavioral detection for DLL side-loading and in-memory backdoors, and apply the published indicators of compromise.

Initial access broker KongTuke pivots from web lures to Microsoft Teams - impersonates IT help desk, drops ModeloRAT in five minutes

ReliaQuest researchers say initial access broker KongTuke has shifted from web-based ClickFix and FileFix lures to Microsoft Teams social engineering, taking as little as five minutes to gain persistent access. The attacker reaches employees from one of five rotating Microsoft 365 tenants, uses Unicode whitespace tricks to make the display name look like internal IT help desk, then talks the victim through pasting a PowerShell command. That command downloads a ZIP from Dropbox containing a portable WinPython runtime and a Python-based RAT called ModeloRAT. The new ModeloRAT variant adds a five-server C2 pool with automatic failover, self-update, and randomized URL paths, and several major EDR products did not detect it.

Check
Search Microsoft 365 audit logs for inbound external Teams chats from new or low-trust tenants, hunt endpoint telemetry for pythonw.exe running from %APPDATA%\WPy64-31401 (or similar WinPython paths), and review PowerShell logs for clipboard-paste-driven commands.
Affected
Any enterprise that accepts inbound Microsoft Teams chats and calls from external tenants, especially help-desk-themed approaches. Initial access broker activity is typically resold to ransomware operators within days of compromise.
Fix
Restrict external Teams chat to allowlisted partners, enforce verified caller display in Teams admin, train staff that real IT never asks for a PowerShell paste, and add EDR rules for portable Python interpreters spawning from %APPDATA%.