KongTuke has shifted from web-only ClickFix lures to external Microsoft Teams chats, impersonating help-desk staff to push victims into running a PowerShell command that installs ModeloRAT. The campaign uses multiple Microsoft 365 tenants, redundant C2 paths, and layered persistence to survive disruption, while defenders are advised to restrict external Teams federation and hunt for portable Python in user AppData. #KongTuke #ModeloRAT #BlackBasta #MicrosoftTeams #WinPython
Keypoints
- KongTuke, a financially motivated initial access broker, is using external Microsoft Teams chats for initial access for the first time observed in this campaign.
- The threat actor impersonates IT or help-desk staff to socially engineer victims into running a single PowerShell command.
- That command downloads a ZIP from Dropbox, extracts a portable WinPython runtime into AppData, and launches ModeloRAT.
- The operator rotated across five Microsoft 365 tenants in 45 days to evade blocking and maintain access.
- ModeloRAT is designed for resilience, with three independent C2 paths, server failover, randomized URLs, and self-update capability.
- Persistence is spread across multiple artifacts: a Run key, Startup shortcut, VBScript launcher, and in some cases a SYSTEM-level scheduled task.
- Defensive priorities include restricting external Teams federation, hunting for WPy64-* directories, and fully enumerating persistence before returning hosts to production.
MITRE Techniques
- [T1566.003 ] Phishing: Spearphishing via Service – Used external Microsoft Teams chats to impersonate help-desk staff and socially engineer victims (‘the threat actor initiated a one-on-one Teams chat from an external Microsoft 365 tenant and impersonated internal IT or help-desk staff’).
- [T1204.002 ] User Execution: Malicious File – Victims were instructed to run a diagnostic tool and paste a PowerShell command, triggering execution (‘the user was then instructed to paste a single PowerShell command into Windows Run’).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell downloaded the archive, extracted it, deleted it, and launched the payload (‘it downloaded the archive, extracted it into AppData, deleted the ZIP, and launched the first Python module’).
- [T1105 ] Ingress Tool Transfer – The payload was retrieved from Dropbox and staged on the endpoint (‘iwr -Uri …dropbox… -OutFile $env:appdataWinp.zip’).
- [T1218 ] Signed Binary Proxy Execution – A signed pythonw.exe binary was used to execute the malicious Python modules (‘the trusted, signed binary … pythonw.exe binary helps mask the activity that follows’).
- [T1059.006 ] Command and Scripting Interpreter: Python – The malware executed as Python scripts such as games.py and Pmanager.py (‘the first module executes’, ‘Pmanager.py beacons’).
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence was established with a Run key and Startup shortcut (‘A registry Run key …’, ‘A Startup folder shortcut named StartManagerB.lnk’).
- [T1053.005 ] Scheduled Task/Job: Scheduled Task – A SYSTEM-level scheduled task was created to ensure execution at midnight (‘A SYSTEM-level scheduled task registered to run daily at midnight’).
- [T1041 ] Exfiltration Over C2 Channel – Files and screenshots were exfiltrated over the implant’s command channel (‘capture screenshots and exfiltrate arbitrary files on operator command’).
- [T1219 ] Remote Access Software – The campaign deployed ModeloRAT as a remote-access toolkit for persistent control (‘the toolkit can capture screenshots and exfiltrate arbitrary files’).
- [T1027 ] Obfuscated Files or Information – Randomized URL paths, RC4/zlib protection, and Unicode whitespace were used to hinder detection (‘RC4- and zlib-protected HTTP’, ‘appending Unicode whitespace characters’).
Indicators of Compromise
- [IP address ] C2 and proxy infrastructure used by KongTuke – 144.172.99[.]68, 45.61.136[.]94, and other 4 IPs
- [Domain / URL ] Dropbox-hosted delivery infrastructure for the ZIP payload – hxxps://www[.]dropbox[.]com/scl/fi/88btyiyisjwbuxhappb8m/ltuipoaensloieo[.]zip, hxxps://www[.]dropbox[.]com/scl/fi/vpyhgodqd358qtp0fmnzr/at3[.]zip
- [File name ] Malicious Python and persistence artifacts – games.py, Pmanager.py, StartManagerB.lnk, scriptA.vbs
- [File path ] Portable Python runtime and persistence locations in AppData – %APPDATA%RoamingWPy64-31401python, %APPDATA%WPy64-31401pythonscriptA.vbs
- [Registry key ] Run key used for logon persistence – HKCUSoftwareMicrosoftWindowsCurrentVersionRun, MonitoringService
- [Email / tenant / sender ] Help-desk impersonation sender identity – HelpDesk[at]officeupdates366.onmicrosoft[.]com, itsupport[at]deepminds[.]me
- [Hash ] Artifact hashes associated with malicious files – 6d11817f510e596bb9b739dd1fddb, 3b1c929831b81503a4e8d7129543bf899b9, and other 4 hashes
Read more: https://reliaquest.com/blog/threat-spotlight-help-desk-lures-drop-kongtukes-evolved-modelorat/