KongTuke redefines the IAB with rapid and persistent intrusions into corporate networks through Teams

An initial access corridor (IAB) identified as KongTuke has changed its delusion vector to Microsoft Teams, in some cases achieving a persistent intrusion into corporate networks in less than five minutes. This actor convinces employees, pretending to be internal support staff, to stick and run on their machines a PowerShell command that download from Dropbox a ZIP package with a portable WinPython environment that finally launches the malware known as ModeloRAT.

The tactic involves several elements that make it dangerous: the use of external federation in Teams to contact victims, sender names that appear to be internal by tricks with Unicode spaces, and the use of legitimate services (e.g. Dropbox) to house the initial binary. The result is a fast and convincing access channel that jumps out human and automated controls when a trusted worker executes the requested order.

Technically, the sample observed by ReliaQuest is not a simple RAT: it incorporates a more resistant command and control architecture with a five-server pool, random URL routes and self-updating capacity; it also maintains multiple access paths (primary RAT, reverse shell and TCP backdoor) in separate infrastructures, and uses various persistence mechanisms, including Run keys, direct start-up access, VBScript launchers and programmed tasks at SYSTEM level that, according to researchers, are not eliminated with the routine of self-destruction of the implant and can survive rebeginnings.

The KongTuke change illustrates two convergent trends: the marketing of access by IABs to resell it to Ransomware operators and the instrumentation of collaborative platforms as a delivery vector for their implicit confidence. These platforms offer easy means to make targeted social engineering and to rotate Microsoft 365 tenants in order to avoid traditional blacklists and blockades.

For organisations, the implications are clear: it is not enough to trust that periodic controls or basic training will stop these campaigns. It is critical to combine policies in Microsoft 365's tenant, endpoint controls and telemetry to prevent, detect and contain attempts that are born within legitimate collaborative flows.

In the immediate prevention, it is recommended to implement Allowlists in the external federation of Teams and limit direct messaging with unmanaged domains; Microsoft documents how to manage external access and federation in Teams and Exchange at its online management center, and this configuration should be reviewed and hardened in high-risk organizations: https: / / learn.microsoft.com / microsoft-365 / solutions / manage-external-access? view = o365-worldwide. In parallel, hardening measures such as strict MFA application, conditional access policies, and execution control (AppLocker or Windows Defender Application Control) help a user-hit command not translate into malicious code execution.

In detection and response, it is essential to search for specific artifacts: programmed tasks at the SYSTEM level, unusual entries in Run, direct access to start folders, VBScript launchers and the presence of portable WinPython environments or files such as Pmanager.py. ReliaQuest published commitment indicators and a detailed analysis that should be incorporated into the threat hunt and IMS rules: https: / / reliaquest.com / blog / threat-spotlight-help-desk-lure-drop-kongtukes-evolved-modorlorat. It is also recommended to integrate Ransomware and data exfiltration response guides by authorities such as CISA for containment and recovery procedures: https: / / www.cisa.gov / stopransomware.

If a possible infection is detected, immediately isolate the affected equipment from the network, preserve memory and disk dumping for forensic analysis, and consider that the presence of the scheduled SYSTEM-level task may require manual cleaning or system reconstruction if there is doubt about the complete elimination of persistence. In addition, start a review of credentials and active sessions: IABs seek to pivote and sell access, so there is a high risk that accounts and sessions will be compromised.

Finally, the organizational response should include an update in the training of staff: beyond "do not click," explain why to paste commands and run binaries from external chats is dangerous and what signs give imposters in Teams (names with Unicode spaces, non-business domains, urgent requests and technical instructions out of procedure). The combination of rigorous tenant policies, proactive endpoint controls and a well-tested response significantly reduces the action window of actors like KongTuke.