A new wave of cyberattacks is putting Microsoft Teams users on high alert across organizations worldwide. Hackers have been found hijacking Teams accounts to impersonate IT support staff and push a dangerous piece of malware called ModeloRAT directly into corporate environments, catching many organizations completely off guard and exposing serious gaps in how workplace communication tools are trusted by everyday users.
This attack is part of a broader campaign tied to a threat cluster known as KongTuke, which was first publicly documented by Huntress in January of this year. The original activity involved CrashFix-style social engineering and delivered ModeloRAT through an archive hosted on Dropbox.
The payload was then unpacked and executed using a bundled portable Python environment, a technique that helps the malware blend in with legitimate software activity on the infected system and avoid early detection.
Analysts at Hexastrike recently investigated a new, undocumented version of this campaign and found that the attackers have significantly upgraded their approach. While the first stage of the attack follows the same general pattern seen in earlier incidents, the delivery method, execution flow, and persistence mechanisms have all changed in ways that make detection considerably harder than before.
In this updated version, the threat actor contacts victims directly through fake or hijacked Microsoft Teams accounts while posing as internal IT helpdesk staff. The goal is to convince the target to run an obfuscated PowerShell command. Once executed, that command drops a ZIP archive into the system’s AppData folder, unpacks it locally, and launches the malware from a subdirectory called WPy64-31401.
How ModeloRAT Evades Detection
The archive that gets dropped contains a portable Python environment alongside malicious Python components. From there, the execution splits into two distinct parts: one focused on reconnaissance and the other on communicating with a remote command-and-control server.
This two-part structure allows attackers to quietly gather system information while maintaining a persistent and stealthy connection back to their infrastructure, all without raising obvious red flags during normal endpoint monitoring.
One of the most alarming aspects of this campaign is how effectively the malware avoids being caught. During the investigation, the samples collected had zero detections on VirusTotal, meaning the files were not flagged by any of the antivirus engines checked at the time of analysis. The malware also bypassed several major endpoint detection and response tools, which are typically a critical last line of defense in enterprise environments.
Persistence is another area where this version stands apart from earlier variants. Beyond writing itself to a standard Windows startup registry key, the malware also creates a scheduled task using a randomly generated name.
This makes it considerably harder for defenders to spot the malicious task among legitimate ones, and ensures the malware restarts automatically even if the registry entry gets removed. Together, these techniques show a clear and deliberate effort to stay hidden and keep running as long as possible on compromised systems.
Protecting Your Organization
Organizations can take several practical steps to significantly reduce the risk posed by this type of attack. One of the most straightforward moves is to review Microsoft Teams external access settings and restrict or disable messages from unknown or unverified external tenants.
Since the attackers rely on reaching victims directly through Teams, limiting who can contact employees is a strong and immediate first line of defense that requires no additional tools.
Security teams should also set up alerts for Dropbox downloads on corporate devices, particularly where there is no clear business need for that kind of external file access. Monitoring for ZIP file extraction inside AppData directories is another useful and practical detection approach.
Since the malware relies on a portable Python environment to execute, tracking unusual instances of pythonw.exe running from user-writable paths like AppData can help surface suspicious activity early. Regularly reviewing new scheduled task registrations and registry run key changes can help catch persistence attempts before they quietly take hold.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 45.61.136.94 | Observed ModeloRAT C2 server |
| IP Address | 64.95.10.14 | Observed ModeloRAT C2 server |
| IP Address | 64.95.12.238 | Observed ModeloRAT C2 server |
| IP Address | 64.95.13.76 | Observed ModeloRAT C2 server |
| IP Address | 162.33.179.149 | Observed ModeloRAT C2 server |
| File Path | %APPDATA%WPy64-31401 | Malware execution directory containing portable Python environment |
| Process | pythonw.exe | Portable Python used to execute malicious components from AppData |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
