KongTuke uses Microsoft Teams chats to breach firms

ReliaQuest has reported that the cybercrime group KongTuke is using external Microsoft Teams chats to gain initial access to corporate systems. It says this is the first time it has seen the group use a collaboration platform in this way.

Attackers impersonate internal help-desk staff in one-to-one Teams conversations and persuade employees to run a PowerShell command on their own machines. ReliaQuest says the command downloads a ZIP archive containing a portable WinPython runtime and a malware toolkit known as ModeloRAT, which then establishes persistence on the infected device.

ReliaQuest linked the campaign to KongTuke through the reuse of the group's custom Python loader. The group had previously relied on compromised WordPress sites to host so-called ClickFix and CrashFix lures, including fake CAPTCHA and browser crash pages designed to prompt users to paste and run commands.

The shift to Teams adds a new delivery route rather than replacing the earlier web-based method. In cases ReliaQuest reviewed, a single external chat moved from first contact to a persistent foothold on a target machine in less than five minutes.

New access route

Researchers said the operator used a support-themed approach that mirrors techniques associated with Black Basta, a ransomware group that is no longer active but whose methods remain widely copied. In the incidents investigated, the attacker posed as IT support or a help-desk contact and used display-name spoofing to appear similar to a legitimate internal colleague in the Teams interface.

The campaign used multiple Microsoft 365 tenants over a 45-day period, a tactic intended to frustrate defensive blocks. ReliaQuest observed the operator rotating through five tenants during that time, allowing it to shift to fresh infrastructure before sender domains could be blocked.

That matters because many organisations treat email as a tightly governed threat vector while allowing broad external messaging in workplace chat tools. Security teams often train staff to question unexpected emails but may not apply the same controls or scrutiny to collaboration platforms.

Durable malware

The malware deployed in the campaign was designed to survive partial disruption. ModeloRAT uses three separate command-and-control routes on distinct infrastructure, allowing the attacker to maintain access even if one channel is blocked.

The toolkit also spreads persistence across four different triggers. On infected systems, researchers observed a registry Run key, a shortcut in the Startup folder, and a VBScript launcher under the user's AppData directory. On some hosts, particularly where the operator carried out follow-on activity, they also found a scheduled task running at SYSTEM level.

This layered approach means standard clean-up can miss a remaining access mechanism. ReliaQuest's review found that a self-destruct routine removed some persistence artefacts but did not check for or delete the scheduled task, leaving a route for the malware to survive a reboot and remain active.

ModeloRAT also uses a portable WinPython package stored under %APPDATA%\Roaming\WPy64-*, removing the need for Python to be installed on the target device. The attack uses the signed pythonw.exe binary to help blend malicious activity into a legitimate runtime.

Fast compromise

Once a user runs the command, the sequence moves quickly. ReliaQuest said WinPython typically landed on disk within 90 seconds, reconnaissance began within two minutes, and outbound beaconing to attacker infrastructure was under way by the five-minute mark.

The first stage gathers system and user information, including account details, domain information, and directory data. That information is saved locally before being handed to the main implant, which then communicates with a pool of command servers using rotating infrastructure and randomised URL paths.

Researchers said the malware could also capture screenshots and exfiltrate files. In one example cited in the report, files were sent in a single uncompressed HTTP POST request, with no size limit enforced by the tool.

Defensive response

The findings underline a broader challenge for corporate defenders as social engineering shifts into trusted communication tools. A direct message inside the same platform employees use every day can look low risk, especially if external federation is enabled by default and the sender's display name resembles that of an internal contact.

ReliaQuest advised organisations to restrict external Teams federation to a trusted-organisation allowlist rather than relying on sender or domain blocks alone. It also urged security teams to hunt for portable Python installations under %APPDATA%\Roaming\WPy64-* and to check thoroughly for all persistence artefacts before restoring affected machines to normal use.

Stuart Ashenbrenner, Senior Director of Threat Research at ReliaQuest, said: "Help-desk impersonation is likely becoming the collaboration-platform counterpart of traditional email-based phishing. The tactic is widespread because it's effective, and as it continues to see success, more actors will likely adopt it."

He added: "In practice, that leaves very little time for manual response. By the time a Teams message is reported and reviewed, the host may already be beaconing and persistent."