Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Home/Threats/Critical Microsoft Teams Flaw Lets Attackers Hijack Accounts, Deliver ModeloRAT
Threats

Critical Microsoft Teams Flaw Lets Attackers Hijack Accounts, Deliver ModeloRAT

Key Takeaways Attackers are exploiting Microsoft Teams to impersonate IT staff, tricking users into running PowerShell commands. This leads to the deployment of ModeloRAT, a sophisticated remote...

Emy Elsamnoudy
Emy Elsamnoudy
May 12, 2026 3 Min Read
45 0

Key Takeaways

  • Attackers are exploiting Microsoft Teams to impersonate IT staff, tricking users into running PowerShell commands.
  • This leads to the deployment of ModeloRAT, a sophisticated remote access trojan that uses a portable Python environment.
  • The malware exhibits advanced evasion techniques, including zero detection on VirusTotal and bypassing several EDR tools at the time of analysis.
  • ModeloRAT establishes persistence via both registry run keys and stealthy scheduled tasks.
  • Organizations can mitigate risk by adjusting Microsoft Teams external access settings and implementing enhanced monitoring for suspicious file and process activity.

Cybersecurity researchers have uncovered an active campaign where threat actors are leveraging compromised or fabricated Microsoft Teams accounts to target users. Posing as internal IT helpdesk personnel, these attackers aim to convince victims to execute a seemingly innocuous, obfuscated PowerShell command. This command is the gateway to a multi-stage infection, ultimately deploying the ModeloRAT (Remote Access Trojan) onto the victim’s system.

Table Of Content

  • Key Takeaways
  • ModeloRAT’s Stealthy Delivery and Evasion
  • What You Should Do
  • Indicators of Compromise (IoCs)

ModeloRAT’s Stealthy Delivery and Evasion

The initial PowerShell command triggers the download and drop of a ZIP archive into the system’s AppData folder. This archive is then unpacked locally, initiating the ModeloRAT infection process. A key characteristic of this particular ModeloRAT variant is its use of a portable Python environment bundled within the dropped archive, alongside its malicious Python components.

Upon execution, the malware’s operations bifurcate: one branch focuses on conducting reconnaissance activities, while the other establishes communication with a remote command-and-control (C2) server. This dual-pronged approach allows the attackers to discreetly collect system information and maintain a persistent, covert connection to their infrastructure, all while minimizing indicators that might trigger standard endpoint monitoring solutions.

A significant concern highlighted by the investigation is ModeloRAT’s advanced evasion capabilities. During the analysis, collected samples registered zero detections on VirusTotal, indicating that no antivirus engines flagged the files at that time. Furthermore, the malware successfully circumvented several prominent Endpoint Detection and Response (EDR) tools, which are typically considered crucial last lines of defense in corporate environments. You can review the full report for more details.

Beyond its initial evasion, this ModeloRAT variant demonstrates sophisticated persistence mechanisms. In addition to writing itself to a standard Windows startup registry key, the malware creates a scheduled task with a randomly generated name. This tactic significantly complicates detection efforts for defenders, as the malicious task can blend in with legitimate system tasks. Moreover, this dual persistence ensures the malware’s automatic re-execution even if one of its persistence methods is discovered and removed. These techniques collectively underscore a deliberate strategy by attackers to remain undetected and operational on compromised systems for extended periods.

What You Should Do

Organizations must adopt a proactive stance to mitigate the risks associated with this type of attack. Immediate and practical steps include:

  • Restrict Microsoft Teams External Access: Review and tighten Microsoft Teams external access settings. Limit or disable messages from unknown or unverified external tenants to prevent attackers from directly contacting employees. This serves as a critical first line of defense.
  • Monitor for Suspicious Downloads: Configure alerts for downloads from cloud storage services like Dropbox on corporate devices, especially if there’s no legitimate business need for such external file access.
  • Monitor AppData for ZIP Extraction: Implement monitoring for ZIP file extraction activities within AppData directories, a common staging area for this malware.
  • Track Python Executables in User Paths: Set up detection rules for unusual instances of pythonw.exe running from user-writable paths, particularly within AppData. This can help identify the portable Python environment utilized by ModeloRAT.
  • Audit Persistence Mechanisms: Regularly review newly registered scheduled tasks and changes to registry run keys to detect and neutralize persistence attempts before they become entrenched.

Indicators of Compromise (IoCs)

For defenders, the following Indicators of Compromise (IoCs) can aid in detection and prevention:

Type Indicator Description
IP Address 45[.]61[.]136[.]94 Observed ModeloRAT C2 server
IP Address 64[.]95[.]10[.]14 Observed ModeloRAT C2 server
IP Address 64[.]95[.]12[.]238 Observed ModeloRAT C2 server
IP Address 64[.]95[.]13[.]76 Observed ModeloRAT C2 server
IP Address 162[.]33[.]179[.]149 Observed ModeloRAT C2 server
File Path %APPDATA%WPy64-31401 Malware execution directory containing portable Python environment
Process pythonw.exe Portable Python used to execute malicious components from AppData

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

North Korean Hackers Use Git Hooks for Cross-Platform Malware Attacks

Next Post

Vercel AI Tools Abused to Create Realistic Phishing Sites

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Citrix NetScaler ADC and Gateway Bugs Allow DoS, Memory Overflow
July 1, 2026
Critical Vulnerability in Windows Drivers Lets Attackers Disable Security Software
July 1, 2026
Automotive Manufacturer Boosts SOC Triage Speed, Closes Supplier Security Gap
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us