ModeloRAT

They hijack normal WordPress websites to push fake technical alerts. In a recent tactic from early 2026 called CrashFix, they purposely froze a victim’s web browser and displayed a message telling them to copy-paste a command to fix the issue.

"Rapid7 and ReliaQuest revealed that the threat actor has pivoted to sending Microsoft Teams messages from a fake IT Support account to trigger an attack chain that leads to the deployment of ModeloRAT."

ModeloRAT, another KongTuke-linked backdoor that has spread through Microsoft Teams social engineering

Persistence is established through several redundant mechanisms, including... scheduled tasks.

"...trick them into running arbitrary commands under the pretext of running a security scan."

The campaign used a malicious Chrome extension named NexShield, disguised as an ad blocker, to intentionally crash victims’ browsers and trick them into running PowerShell commands that led to the deployment of ModeloRAT.

Persistence is established through several redundant mechanisms, including... VBScript launchers

they purposely froze a victim’s web browser and displayed a message telling them to copy-paste a command to fix the issue... started messaging staff directly on Microsoft Teams, posing as the company’s IT helpdesk to lure workers into running malicious commands.

"...used a malicious Google Chrome extension masquerading as an ad blocker to intentionally crash a victim's web browser..."

Persistence is established through several redundant mechanisms, including... scheduled tasks.

The campaign used a malicious Chrome extension named NexShield, disguised as an ad blocker, to intentionally crash victims’ browsers and trick them into running PowerShell commands that led to the deployment of ModeloRAT.

"...the attack chain uses DNS as a 'lightweight staging or signaling channel.'"

ModeloRAT... with persistence commonly established under HKCU\Software\Microsoft\Windows\CurrentVersion\Run... Persistence is established through several redundant mechanisms, including Run-key entries... Startup-folder shortcuts

Persistence is established through several redundant mechanisms, including... scheduled tasks.

ModeloRAT... with persistence commonly established under HKCU\Software\Microsoft\Windows\CurrentVersion\Run... Persistence is established through several redundant mechanisms, including Run-key entries... Startup-folder shortcuts

loaded from a DLL named EndpointDlp.dll, a name associated with Microsoft endpoint-security tooling. This would help the backdoor blend in with trusted software... Persistence is established through several redundant mechanisms, including Run-key entries that masquerade as legitimate remote-access software, using names such as AnyDesk, Splashtop and Comms.

"...the attack chain uses DNS as a 'lightweight staging or signaling channel.'"

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators and distinguish domain-joined corporate machines from standalone WORKGROUP hosts

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators and distinguish domain-joined corporate machines from standalone WORKGROUP hosts so that the higher-value ModeloRAT payload is reserved for enterprise targets.

performing Active Directory and Kerberoasting queries against accounts with service principal names to harvest crackable credentials

performing Active Directory and Kerberoasting queries against accounts with service principal names to harvest crackable credentials

The group then conducts extensive reconnaissance using built-in Windows tooling, enumerating domain users, groups, computers and sessions with net.exe

gathering host and service inventories with PowerShell

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators and distinguish domain-joined corporate machines from standalone WORKGROUP hosts

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators and distinguish domain-joined corporate machines from standalone WORKGROUP hosts so that the higher-value ModeloRAT payload is reserved for enterprise targets.

Data is staged and exfiltrated over HTTP using curl.exe

the group has been observed capturing screenshots

It can also create new folders, and check for additional commands from the attacker-controlled command-and-control (C2) server.

The RAT uses RC4-encrypted command-and-control (C2) communications and is built for resilience, with multiple independent C2 paths on separate infrastructure.

"The malware was also distributed in a different ClickFix campaign that involved running commands carrying out a Domain Name System (DNS) lookup to retrieve the next-stage payload, with Microsoft noting that the attack chain uses DNS as a 'lightweight staging or signaling channel.'"

The backdoor can run remote payloads directly in memory... Upload/download a file... Once a command is executed, a multi-stage PowerShell chain downloads and unpacks a portable WinPython environment... Finger.exe... retrieve obfuscated payloads.

"...the attack chain uses DNS as a 'lightweight staging or signaling channel.'"

Mistic is a stealthy backdoor used by KongTuke-linked actors to keep long-term access in ransomware-targeted networks.

non-domain-joined victims receive a more heavily obfuscated variant that uses a domain-generation algorithm to cycle through fresh C2 domains each week

non-domain-joined victims receive a more heavily obfuscated variant that uses a domain-generation algorithm to cycle through fresh C2 domains each week.

Data is staged and exfiltrated over HTTP using curl.exe