Hackers Hijack Microsoft Teams to Deliver ModeloRAT

Threat actors are now leveraging fake or hijacked Microsoft Teams accounts to directly contact victims, posing as internal IT helpdesk staff. Their primary objective is to persuade targets into executing an obfuscated PowerShell command. Once run, this command initiates a multi-stage infection process: it drops a ZIP archive into the system’s AppData folder, unpacks it locally, and then launches the Modelo

How ModeloRAT Evades Detection

The archive that gets dropped contains a portable Python environment alongside malicious Python components. From there, the execution splits into two distinct parts: one focused on reconnaissance and the other on communicating with a remote command-and-control server.

This two-part structure allows attackers to quietly gather system information while maintaining a persistent and stealthy connection back to their infrastructure, all without raising obvious red flags during normal endpoint monitoring.

One of the most alarming aspects of this campaign is how effectively the malware avoids being caught. During the investigation, the samples collected had zero detections on VirusTotal, meaning the files were not flagged by any of the antivirus engines checked at the time of analysis. The malware also bypassed several major endpoint detection and response tools, which are typically a critical last line of defense in enterprise environments.

Persistence is another area where this version stands apart from earlier variants. Beyond writing itself to a standard Windows startup registry key, the malware also creates a scheduled task using a randomly generated name.

This makes it considerably harder for defenders to spot the malicious task among legitimate ones, and ensures the malware restarts automatically even if the registry entry gets removed. Together, these techniques show a clear and deliberate effort to stay hidden and keep running as long as possible on compromised systems.

Protecting Your Organization

Organizations can take several practical steps to significantly reduce the risk posed by this type of attack. One of the most straightforward moves is to review Microsoft Teams external access settings and restrict or disable messages from unknown or unverified external tenants.

Since the attackers rely on reaching victims directly through Teams, limiting who can contact employees is a strong and immediate first line of defense that requires no additional tools.

Security teams should also set up alerts for Dropbox downloads on corporate devices, particularly where there is no clear business need for that kind of external file access. Monitoring for ZIP file extraction inside AppData directories is another useful and practical detection approach.

Since the malware relies on a portable Python environment to execute, tracking unusual instances of pythonw.exe running from user-writable paths like AppData can help surface suspicious activity early. Regularly reviewing new scheduled task registrations and registry run key changes can help catch persistence attempts before they quietly take hold.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.