By rssfeeds-admin 
In a highly sophisticated new campaign, the threat group known as KongTuke is actively hijacking Microsoft Teams accounts to deliver an undetected, evolved version of ModeloRAT.
By posing as internal IT helpdesk staff, these threat actors bypass traditional email defenses and trick unsuspecting employees into initiating a severe network infection.
KongTuke was first publicly documented earlier this year after researchers uncovered their use of distinct social engineering tactics.
However, recent incident response cases reveal a significant evolution in their delivery methods. Instead of relying on standard phishing emails, the attackers now contact victims directly through fake or compromised Microsoft Teams accounts.
Hijacked Teams Deliver ModeloRAT
Once the attacker establishes trust over Microsoft Teams, they instruct the victim to run what appears to be a routine support fix.
In reality, they are using social engineering to trick the user into executing a highly obfuscated PowerShell command.
This command serves as the initial gateway for the malware. It forces the computer to reach out to the internet, download a malicious ZIP archive hosted on Dropbox, and save it directly into the user’s hidden application data folder.
The archive is then silently unpacked on the local machine. It reveals a bundled, portable Python environment alongside malicious Python scripts.
By bringing their own self-contained environment to the victim’s computer, the attackers ensure the malware executes flawlessly regardless of the software already installed on the system.
In this newly discovered version of ModeloRAT, the execution flow is intelligently split into two distinct parts. The first component is dedicated solely to system reconnaissance, gathering crucial intelligence on the infected machine’s security posture.
The second component establishes a secure connection with the attacker’s command server. What makes this specific campaign incredibly dangerous is its exceptional stealth capabilities.
The malware has successfully bypassed major enterprise endpoint security products. At the time of discovery, the identified malicious files had zero detections on public malware scanning engines.
To maintain control, the attackers ensure the malware survives system reboots by creating hidden registry keys and scheduling tasks with randomized names.
Linkedin research,Organizations must take immediate and proactive steps to identify and block this emerging threat before it spreads.
Security teams should start by monitoring network traffic for connections to known command-and-control infrastructure.
To defend against these deceptive social engineering tactics, IT departments must implement strict preventative measures to secure their communication channels and file systems.
- Review Microsoft Teams external access settings to restrict calls and messages from unknown domains or tenants.
- Block or trigger high-priority alerts on Dropbox downloads from corporate endpoints if there is no strict business requirement.
- Proactively hunt for unauthorized ZIP file creation or extraction events within hidden application directories.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Threat Actors Use Hijacked Teams Accounts In ModeloRAT Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.