A sophisticated KongTuke threat group has dramatically escalated its intrusion tactics, weaponizing hijacked and fake Microsoft Teams accounts to impersonate internal IT helpdesk staff and deliver a fully undetected, undocumented variant of ModeloRAT, marking a decisive shift from browser-based lures to high-trust enterprise communication platforms.
KongTuke first entered the threat intelligence spotlight in January 2026 when Huntress documented its “CrashFix” technique, a ClickFix variant engineered to deliberately crash Chrome browsers, then coerce victims into executing obfuscated PowerShell commands to drop ModeloRAT.
The group’s initial delivery chain relied on Dropbox-hosted ZIP archives containing a bundled portable Python environment that unpacked and executed malicious components, effectively bypassing standard antivirus signatures, according to researcher Maurice Fielenbach.
The newest campaign retains that first-stage philosophy but replaces browser exploitation with direct social engineering through Microsoft Teams, dramatically raising both the sophistication and success rate of initial access.
Rather than waiting for victims to visit a compromised webpage, KongTuke now contacts targets directly through hijacked Teams accounts posing as internal IT support staff.
Rapid7’s MDR team flagged a surge in Teams-based IT impersonation campaigns in March 2026, warning that Teams’ default external access settings allow any outside user to message internal staff described as “the functional equivalent of operating an email server without a gateway filter.”
Microsoft’s own April 2026 advisory confirmed that cross-tenant helpdesk impersonation has become a primary intrusion vector across enterprise environments, with attackers abusing legitimate collaboration features to override user security instincts.
Once the victim engages with the Teams lure, they are prompted to run an obfuscated PowerShell command using iex ([string]::new(...)) to reconstruct and execute malicious code directly in memory.
A ZIP archive is then written to %APPDATA%, unpacked locally, and launched from %APPDATA%\WPy64-31401 using a bundled portable Python runtime a staging path consistent across known KongTuke intrusions.
The new ModeloRAT variant introduces a modular dual-component architecture: a reconnaissance module that silently profiles the victim environment, and a C2 module that establishes encrypted communications with attacker-controlled infrastructure.
This mirrors a broader malware-as-a-service trend a similar dual-function split was observed in Matanbuchus 3.0, which was also delivered via Teams IT impersonation in mid-2025, said Maurice Fielenbach.
Persistence has been significantly hardened in this version. Beyond the standard ASEP Run registry key, the actor now registers a scheduled task using a randomly generated name, providing a redundant foothold that survives registry remediation.
The following IP addresses have been identified as active command-and-control nodes:
| IP Address | Status |
|---|---|
| 45[.]61[.]136[.]94 | Active C2 |
| 64[.]95[.]10[.]14 | Active C2 |
| 64[.]95[.]12[.]238 | Active C2 |
| 64[.]95[.]13[.]76 | Active C2 |
| 162[.]33[.]179[.]149 | Active C2 |
Recommended Mitigations
Security teams should implement the following controls immediately:
- Restrict Teams external access block unsolicited messages from unknown tenants at the tenant configuration level.
- Alert on Dropbox downloads from corporate endpoints where no business justification exists.
- Hunt for ZIP creation and extraction in
%APPDATA%, a consistent KongTuke staging path across all known intrusions. - Baseline
pythonw.exeand portable Python execution from user-writable paths and flag all deviations. - Audit ASEP Run key changes and new scheduled task registrations, particularly those using randomized task names.
KongTuke’s pivot from browser-crashing lures to direct Teams impersonation reflects a calculated shift toward high-trust platforms that bypass traditional email gateway defenses a tactic now confirmed and corroborated by multiple independent threat research teams.
No Comment! Be the first one.