Hackers Hijack Microsoft Teams Accounts to Spread ModeloRAT Malware

The rise of remote work has turned collaboration suites like Microsoft Teams into critical business infrastructure, making them attractive targets for threat actors. By hijacking legitimate Teams accounts and mimicking internal IT helpdesks, attackers can bypass many perimeter defenses that focus on email or web traffic. This social‑engineering approach feels authentic because it arrives directly in a trusted chat client, increasing the likelihood that users will execute the supplied PowerShell command without suspicion.

Technically, the new ModeloRAT delivery chain leverages a PowerShell one‑liner that writes a ZIP file to the user’s AppData folder, extracts a full portable WinPython distribution, and runs pythonw.exe silently. The split architecture—separate reconnaissance and C2 components—mirrors earlier KongTuke tactics but adds layers of obfuscation that have so far evaded leading EDR products and left VirusTotal clean. Persistence is reinforced through the classic HKCU Run key and a newly introduced scheduled task with a random name, complicating remediation efforts that focus on a single cleanup vector.

For defenders, the incident underscores the need to tighten Teams external access policies, flag chats from unknown tenants, and monitor for anomalous PowerShell activity that writes to AppData. Detecting unexpected portable Python directories or pythonw.exe executions from user‑writable locations can provide early warning. Moreover, integrating cloud‑storage download monitoring and routine audits of Run‑key and scheduled‑task registrations will help mitigate this evolving threat vector, highlighting a shift toward more sophisticated, file‑less attacks that exploit trusted communication channels.