Full Report
Initial access broker KongTuke has moved to Microsoft Teams for social engineering attacks, taking as little as five minutes to gain persistent access to corporate networks. [...]
Analysis Summary
# Threat Actor: KongTuke
## Attribution & Identity
* **Actor Name:** KongTuke
* **Role:** Initial Access Broker (IAB)
* **Known Associations:** Associated with "ClickFix" style social engineering tactics (specifically "FileFix" and "CrashFix"). They are known to sell access to downstream ransomware operators.
## Activity Summary
Since at least April 2026, KongTuke has expanded its repertoire from web-based lures to utilizing collaboration platforms. The actor initiates "cold outreach" via Microsoft Teams, impersonating internal IT/help-desk staff. In observed cases, the actor transitioned from the initial message to a persistent network foothold in under five minutes.
## Tactics, Techniques & Procedures
* **Phishing/Social Engineering:** Impersonating IT support via Microsoft Teams. Uses Unicode whitespace characters in display names to bypass visual detection and mimic legitimate internal staff.
* **User Execution:** Tricks victims into manually copying and pasting a malicious PowerShell command into their terminal.
* **Living off the Land:** Extensive use of PowerShell for initial execution and WinPython (portable environment) for malware execution.
* **Persistence:**
* Registry Run keys.
* Startup folder shortcuts.
* VBScript launchers.
* SYSTEM-level scheduled tasks (noted for surviving the malware's own self-destruct routine).
* **Evasion:** Rotating through multiple Microsoft 365 tenants (at least five identified) to evade tenant-level blocking.
* **Multi-Channel Access:** Maintains redundant access via a primary RAT, a reverse shell, and a TCP backdoor, each operating on separate infrastructure.
* **MITRE ATT&CK IDs:**
* T1566.003 (Phishing: Internal Phishing/Spearphishing via Service)
* T1059.001 (Command and Scripting Interpreter: PowerShell)
* T1547.001 (Boot or Attack Autostart Execution: Registry Run Keys / Startup Folder)
* T1053.005 (Scheduled Task/Job: Scheduled Task)
* T1564.007 (Hide Artifacts: Unicode WhiteSpace)
## Targeting
* **Sectors:** Corporate networks across various industries (typical for IABs).
* **Geography:** Global (implied by the use of Microsoft Teams and cloud services).
* **Victims:** Corporate employees, specifically targeting those who may be susceptible to IT help-desk lures.
## Tools & Infrastructure
* **Malware:**
* **ModeloRAT (Pmanager.py):** A Python-based RAT capable of system info collection, screenshots, and file exfiltration.
* **Infrastructure:**
* **Cloud Storage:** Used Dropbox for hosting ZIP archives containing the WinPython environment.
* **C2 Architecture:** Resilient 5-server pool with automatic failover and randomized URL paths.
* **Defanged Indicators:**
* `hxxps[://]dropbox[.]com/...` (Initial payload delivery)
* Microsoft 365 Tenants (Actor-controlled for outreach)
## Implications
KongTuke represents a significant shift in IAB tradecraft by moving away from browser-based exploits toward high-trust collaboration platforms. Their ability to achieve persistence within five minutes highlights a high level of operational efficiency. The use of redundant access channels and "sticky" persistence (surviving self-destruct routines) suggests a sophisticated understanding of incident response and cleanup procedures.
## Mitigations
* **Teams Security:** Restrict external Microsoft Teams federation. Use an "Allowlist" approach to permit communication only with known, trusted external domains.
* **Endpoint Defense:** Monitor for unusual PowerShell execution, particularly commands involving network connections to cloud storage providers like Dropbox.
* **Access Control:** Implement the principle of least privilege to prevent the creation of SYSTEM-level scheduled tasks by standard users.
* **User Training:** Educate employees that IT support will never ask them to copy and paste PowerShell commands or scripts directly into their systems via chat applications.
* **Persistence Hunting:** Regularly audit Scheduled Tasks and Registry Run keys for unauthorized Python or VBScript entries.