KongTuke, a financially motivated initial access broker, is now using external Microsoft Teams chats to impersonate help-desk staff and push ModeloRAT onto Windows machines. ReliaQuest reported the campaign on May 14, 2026, describing it as the first time the group has been seen using a collaboration platform instead of relying only on web-based ClickFix-style delivery [1]. A June 2026 follow-up matters for the same cluster: Broadcom/Symantec later connected the actor to the newer Backdoor.Mistic malware, while Zscaler tracks the related family as MLTBackdoor [3] [4].
The shift matters because Teams chat changes the user’s threat model. A fake support message does not arrive like a suspicious email; it appears inside the same work interface employees use every day. Microsoft Teams external access is designed to let users communicate with people outside their organization, but broad federation also gives attackers a direct line to employees unless it is restricted or monitored [2].
Why This Is More Than Another ClickFix Variant
ReliaQuest says the chain can move from first chat contact to persistent access in under five minutes. The attacker uses a support-themed pretext, directs the victim to run a diagnostic-style command, and drops a portable WinPython environment under %APPDATA%\Roaming\WPy64-*. That runtime then carries ModeloRAT modules, host reconnaissance, multiple command-and-control paths, and layered persistence.
The useful detection point is not a single sender domain. KongTuke reportedly rotated through multiple Microsoft 365 tenants, which means static blocking will age badly. Defenders should correlate the sequence: external Teams contact, hidden PowerShell from Windows Run, a new WPy64-* directory in AppData, pythonw.exe activity, Startup folder changes, Run key entries, and suspicious scheduled tasks. One weak signal may be noise; the sequence is the incident.
This also changes response. Removing one payload, blocking one C2 address, or deleting one Run key is not enough if the host has several persistence triggers. Before returning a machine to production, enumerate Startup items, Run keys, scheduled tasks, portable Python folders, recent cloud-download artifacts, and outbound connections from pythonw.exe. If a user was contacted over Teams, review external chat events and whether the sender tenant should have been allowed to reach users at all.
How Mistic and MLTBackdoor Fit This Case
Mistic does not need a separate Gridinsoft article to be useful here. It is another branch of the same KongTuke/Woodgnat access-broker story: social engineering gets the user to run a command, the first-stage tooling establishes access, and the operator decides whether to deploy ModeloRAT, Mistic, or another follow-on payload. Broadcom/Symantec reported Mistic activity since April 2026 and noted that it appeared close to ModeloRAT in at least one intrusion [3]. Zscaler’s MLTBackdoor analysis shows the ClickFix route from a pasted command into a staged archive, endpointdlp.dll, and a later sideload through the signed Microsoft Defender binary MpExtMs.exe [4].
For triage, treat the names as linked clues rather than isolated keywords. MpExtMs.exe can be legitimate in its normal Microsoft Defender context, but it is suspicious when it appears in a temporary staging folder, launches from an unpacked archive, or sits next to unexpected files such as EndpointDlp.dll, version.dll, or data.bin. Mistic’s reported in-memory execution, BOF loading, and self-delete capability mean that responders should also look for the delivery chain and persistence around the alert, not only for a remaining malware file on disk.
What to Do If a Mistic or Havoc Alert Appears
If Microsoft Defender shows Trojan:Win64/Havoc.MX!MTB, keep the detection quarantined and check whether the timeline includes a Teams help-desk message, fake CAPTCHA, ClickFix, FileFix, CrashFix, browser repair prompt, or a command pasted into Run, PowerShell, Terminal, or File Explorer. Microsoft lists the Havoc.MX label as a Defender-detected trojan and warns that infections can leave remnant files or system changes after automatic removal [5].
On a work device, isolate the host and involve the security team before deleting evidence. Preserve the command line, downloaded archive path, Defender Protection History entry, recent scheduled tasks, Run keys, Startup folder entries, browser history around the lure, and external Teams chat details. On a personal Windows PC, disconnect from the network, update security definitions, run a full scan, then check startup entries and browser changes after reboot. Gridinsoft Anti-Malware can be used as a second local check for leftover detections, hidden files, scheduled tasks, startup entries, bundled apps, browser changes, and persistence, but it cannot prove that an enterprise network is clean after a real backdoor incident.
Gridinsoft has tracked related patterns before, including ClickFix WordPress attacks pushing Vidar Stealer, fake CAPTCHA and ClickFix prompts, fake Chrome update terminal commands, and Teams phishing used in MuddyWater’s Chaos ransomware masquerade. KongTuke sits between those patterns: it keeps the paste-and-run user manipulation of ClickFix, but moves the trust hook into collaboration chat where many organizations have weaker guardrails than email.
Microsoft-themed lures are also shifting toward session abuse: device code phishing shows how a legitimate login page can be used to authorize an attacker-controlled session.
References
- ReliaQuest. “Help-Desk Lures Drop KongTuke’s Evolved ModeloRAT.” ReliaQuest, published May 14, 2026. Research
- Microsoft Learn. “Manage external access in Microsoft Teams.” Microsoft, accessed July 3, 2026. Guidance
- Broadcom/Symantec Threat Hunter Team. “Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker.” Broadcom Security Center, published June 24, 2026, accessed July 3, 2026. Research
- Zscaler ThreatLabz. “Technical Analysis of MLTBackdoor.” Zscaler, published June 9, 2026, accessed July 3, 2026. Research
- Microsoft Security Intelligence. “Trojan:Win64/Havoc.MX!MTB.” Microsoft, published April 30, 2026, accessed July 3, 2026. Threat description

