Help-Desk Lures Drop KongTuke's Evolved ModeloRAT

ReliaQuest attributes an active campaign to the initial access broker "KongTuke," which lures victims via external Microsoft Teams help-desk impersonation to paste a single PowerShell command that installs a portable WinPython runtime and ModeloRAT; the toolkit establishes persistence (four triggers) and three independent C2 paths, reaches persistent access in under five minutes, and uses rotating Microsoft 365 tenants and cloud-hosted ZIPs for delivery. The report provides IOCs, detailed execution and persistence artifacts (%APPDATA%\Roaming\WPy64-*, Run key, Startup shortcut, scriptA.vbs, SYSTEM scheduled task), and defensive recommendations including restricting Teams federation, hunting for portable Python in AppData, and auditing all persistence triggers.