Ethical Hacking News
KongTuke hackers have leveraged Microsoft Teams to gain unauthorized access into corporate networks, using trickery to convince users to run malicious PowerShell commands on their systems. This marks a significant shift in the threat actor's tactics, as they rotate through multiple Microsoft 365 tenants to evade detection. Learn more about how this is changing the face of cybercrime and what it means for businesses to take action.
KongTuke hackers have been using Microsoft Teams to gain unauthorized access into corporate networks. The use of Microsoft Teams is a new development in the tactics employed by KongTuke, previously relying on web-based lures. Microsoft Teams is being used to trick users into running malicious PowerShell commands on their systems, delivering the ModeloRAT malware. KongTuke hackers have rotated through five Microsoft 365 tenants to evade blocking since at least April 2026. The attackers use Unicode whitespace tricks to make their display name appear legitimate as internal IT support staff. ModeloRAT malware has evolved significantly, featuring a more resilient C2 architecture with automatic failover and self-update capabilities. The use of Microsoft Teams highlights the importance of employee education and awareness in cybersecurity.
Microsoft Teams has become a new playground for cybercriminals, as KongTuke hackers have recently been utilizing the platform to gain unauthorized access into corporate networks. According to recent reports from ReliaQuest researchers, this is a significant shift in tactics for the threat actor, who previously relied solely on web-based "FileFix" and "CrashFix" lures.
The use of Microsoft Teams by KongTuke hackers is a new development in the ongoing cat-and-mouse game between cybercriminals and security professionals. By leveraging the platform's built-in collaboration features, these hackers are able to trick users into running malicious PowerShell commands on their systems, ultimately delivering the ModeloRAT malware.
In an interview with ReliaQuest, a senior security researcher explained that this activity marks the first time KongTuke has used a collaboration platform for initial access. The campaign has been active since at least April 2026, with the hackers rotating through five Microsoft 365 tenants to evade blocking.
To initiate their attacks, the attackers use Unicode whitespace tricks to make their display name appear legitimate as internal IT support staff. They then share malicious PowerShell commands via Teams that download a ZIP archive from Dropbox, which eventually launches the Python-based malware, ModeloRAT (Pmanager.py).
ModeloRAT is a previously seen malware in ClickFix attacks, but the version used in this recent campaign has evolved significantly. It features a more resilient C2 architecture with automatic failover and self-update capabilities, as well as multiple independent access paths.
The threat actor's use of Microsoft Teams highlights the importance of employee education and awareness when it comes to cybersecurity. By tricking users into running malicious commands on their systems, these hackers are able to gain persistent access to corporate networks. This underscores the need for organizations to implement robust security measures, such as restricting external Teams federation using allowlists.
In a broader context, the increasing adoption of Microsoft Teams by cybercriminals is a growing concern for security professionals and organizations alike. As more and more collaboration platforms become available, it's essential for businesses to stay vigilant and keep their defenses up-to-date.
The use of Microsoft Teams by KongTuke hackers serves as a reminder that cybersecurity threats are constantly evolving. By staying informed about the latest developments in the world of cybercrime, security professionals can better prepare themselves and their organizations to protect against emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/KongTuke-Hackers-Latest-Shift-Leveraging-Microsoft-Teams-for-Corporate-Breaches-ehn.shtml
https://www.bleepingcomputer.com/news/security/kongtuke-hackers-now-use-microsoft-teams-for-corporate-breaches/
https://www.levelblue.com/blogs/spiderlabs-blog/kongtuke-a-king-among-threat-groups
https://cybersecuritynews.com/fake-captcha/
Published: Thu May 14 07:45:19 2026 by llama3.2 3B Q4_K_M
