KongTuke hackers now use Microsoft Groups for company breaches

Preliminary get right of entry to dealer KongTuke has moved to Microsoft Groups for social engineering assaults, taking as low as 5 mins to realize power get right of entry to to company networks.

The danger actor tips customers into pasting a PowerShell command that in the end delivers the ModeloRAT, which has been prior to now noticed in ClickFix assaults [1, 2].

Preliminary get right of entry to agents (IAB) like KongTuke in most cases promote corporate community get right of entry to to ransomware operators, who use it to deploy file-theft and data-encrypting malware.

Cybercriminals have increasingly more followed Microsoft Groups in assaults, attaining out to corporate staff and pretending to be IT and help-desk personnel.

The sufferers are satisfied to run a malicious PowerShell command on their methods, which deploys the “ModeloRAT” malware.

ReliaQuest researchers seen this job and say that this is a shift in techniques for KongTuke, who prior to now relied only on web-based “FileFix” and “CrashFix” lures.

“This Groups job, which seems so as to add to, slightly than substitute, that web-based way, marks the primary time we’ve noticed KongTuke use a collaboration platform for preliminary get right of entry to,” explains ReliaQuest.

“Within the incidents we investigated, a unmarried exterior Groups chat moved the operator from chilly outreach to a power foothold in underneath 5 mins.”

The marketing campaign has been energetic since a minimum of April 2026, with KongTuke rotating thru 5 Microsoft 365 tenants to evade blockading, the researchers say.

To cross as interior IT fortify personnel, the attacker makes use of Unicode whitespace tips to make the show title seem legit.

The malicious PowerShell command shared by means of Groups downloads a ZIP archive from Dropbox that accommodates a transportable WinPython atmosphere, which in the end launches the Python-based malware, ModeloRAT (Pmanager.py).

The malware collects device and person data, captures screenshots, and will exfiltrate recordsdata from the host filesystem.

ReliaQuest notes that the ModeloRAT model used on this fresh marketing campaign has advanced in comparison to what used to be noticed in earlier operations, most commonly in 3 ways:

1. A extra resilient C2 structure with a five-server pool, computerized failover, randomized URL paths, and self-update capacity.
2. A couple of unbiased get right of entry to paths, together with a number one RAT, a opposite shell, and a TCP backdoor, operating on separate infrastructure to keep get right of entry to if one channel is disrupted.
3. Expanded patience mechanisms the usage of Run keys, Startup shortcuts, VBScript launchers, and SYSTEM-level scheduled duties that can live to tell the tale same old cleanup procedures.

The researchers word that the scheduled job isn’t got rid of by way of the implant’s self-destruct regimen, which wipes the opposite patience mechanisms, and will persist thru device reboots.

To protect towards Crew-initiated assaults, it is strongly recommended to limit exterior Microsoft Groups federation the usage of allowlists to dam those makes an attempt at their get started.

Moreover, directors can use the symptoms of compromise to be had in ReliaQuest’s document to seek for assaults, indicators of compromise, and patience artifacts.