ReliaQuest researchers disclosed that KongTuke, an initial access broker active since April 2026, is exploiting Microsoft Teams to establish persistent footholds inside corporate networks, which it then sells to ransomware operators. The group impersonates internal IT help desk personnel over Teams, tricks employees into pasting a malicious PowerShell command, and deploys ModeloRAT — a custom Python-based remote access trojan — achieving persistent network access in under five minutes from first contact.
KongTuke Manipulates Teams Display Names with Unicode Tricks to Impersonate IT Staff
KongTuke initiates contact with targets through Microsoft Teams, posing as internal IT or help desk employees. The group manipulates display names using Unicode whitespace characters to make the attacker-controlled account appear to match legitimate internal IT naming conventions. The social engineering pretext directs the target employee to paste a PowerShell command into a terminal, framed as a standard IT troubleshooting or configuration step.
The PowerShell command downloads a ZIP archive from Dropbox containing a portable WinPython installation. WinPython then executes Pmanager.py — ModeloRAT — without requiring Python to be pre-installed on the victim machine. The entire chain from first Teams message to active RAT execution has been observed completing in under five minutes. To sustain the campaign and complicate blocking by IT teams, KongTuke rotates across five Microsoft 365 tenants, switching to a new tenant when one is reported and blocked.
ModeloRAT’s Four Persistence Mechanisms and Five-Server C2 Failover Architecture
ModeloRAT is a Python-based remote access trojan designed for operational resilience. It establishes command-and-control with a pool of five servers, using randomized URL patterns to complicate signature-based detection. Beyond the primary RAT channel, ModeloRAT maintains two independent additional access paths: a reverse shell and a TCP backdoor, providing the operator with fallback connectivity if any single channel is disrupted.
For persistence, ModeloRAT installs itself through four separate mechanisms: Windows Run registry keys, Startup folder shortcuts, VBScript-based launchers, and scheduled tasks. The scheduled task persistence survives even if ModeloRAT’s self-destruct routine fires — a design that ensures the attacker retains a reactivation path on the machine even if the RAT binary is removed. Once installed, ModeloRAT collects system and user information, captures screenshots, and exfiltrates files back to the C2 infrastructure.
KongTuke Sells Corporate Footholds to Ransomware Groups After Initial Compromise
KongTuke operates as an initial access broker — it does not conduct ransomware attacks directly. After establishing ModeloRAT persistence on a corporate network, KongTuke packages and sells that access to ransomware operators who then deploy file encryption and data theft tools. The IAB model separates the intrusion phase from the monetization phase, allowing KongTuke to specialize in volume corporate access while ransomware affiliates handle downstream operations.
The five-tenant rotation strategy KongTuke uses to avoid blocking reflects a deliberate operational security posture. By spreading intrusion attempts across multiple Microsoft 365 tenants, the group limits the effectiveness of tenant-level blocking by enterprise Teams administrators and sustains access to new potential targets even as individual tenants are reported and shut down.
Detecting and Blocking KongTuke’s Teams-Based PowerShell Delivery
Organizations should train employees to treat any unsolicited Teams message requesting terminal commands — regardless of the display name or apparent sender identity — as a potential social engineering attempt. IT teams should not initiate troubleshooting sessions through Teams that require employees to manually paste commands into PowerShell.
At the technical level, restricting PowerShell execution policy on user workstations, blocking Dropbox downloads from corporate endpoints, and implementing application control policies that prevent execution of unsigned Python scripts can interrupt KongTuke’s delivery chain before ModeloRAT reaches execution. Monitoring for new scheduled tasks created during or shortly after Teams sessions and reviewing Run key additions in the registry can surface installations that bypassed initial endpoint controls.
Microsoft Teams administrators should enable external access restrictions that limit or log contact from unverified external tenants, reducing the surface available to KongTuke’s multi-tenant rotation strategy.
