Hackers Are Abusing Microsoft Teams Chats to Deploy ModeloRAT Malware

Attackers are abusing Microsoft Teams chats to trick employees into running malicious PowerShell commands, giving them persistent access to corporate networks in under five minutes.

According to ReliaQuest research cited by BleepingComputer, initial access broker KongTuke has shifted to Teams-based social engineering, impersonating internal IT and help-desk staff to gain employee trust.

How the Microsoft Teams attack works

The campaign starts with an external Teams message that appears to come from a legitimate support contact. Attackers then convince the victim to paste and run a PowerShell command.

That command downloads a Dropbox-hosted ZIP archive containing a portable WinPython environment. The chain eventually deploys ModeloRAT, a remote access trojan used to collect system data, capture screenshots, gather user details, and exfiltrate files.

Why this campaign is dangerous

The use of Microsoft Teams makes the attack more convincing because employees already trust internal collaboration tools. A message that looks like it comes from IT support can trigger a fast response, especially during a fake troubleshooting scenario.

ReliaQuest says KongTuke also rotates through five Microsoft 365 tenants to avoid blocking and detection. The attackers reportedly use Unicode whitespace tricks to make malicious accounts look like legitimate internal support staff.

ModeloRAT now has stronger persistence

The latest ModeloRAT version uses a five-server command-and-control pool, automatic failover, randomized URL paths, and a self-update feature. It also includes several backup access methods, including a primary RAT, reverse shell, and TCP backdoor.

The malware can persist through Run registry keys, startup shortcuts, VBScript launchers, and SYSTEM-level scheduled tasks. Researchers warned that one scheduled task can survive reboots and may remain even after some cleanup routines run.

Microsoft Teams remains a growing attack channel

Teams abuse is not new. Threat actors have previously used the platform for espionage campaigns and malware delivery, including Snow malware attacks. Microsoft has also been working on anti-phishing protections to reduce this type of abuse.

Researchers recommend restricting external Teams federation, using allowlists for external chats, monitoring PowerShell activity, and hunting for suspicious Dropbox downloads, persistence artifacts, and unusual scheduled tasks.