KongTuke Teams attacks deliver ModeloRAT

KongTuke is back: The ModeloRAT infection chain hitting critical infrastructure right now

KongTuke operators have spent the last 48 hours delivering a custom remote access trojan called ModeloRAT to organizations in the energy and logistics sectors, according to telemetry data analyzed by independent threat hunters. If you work in industrial control security, this is the call you do not want to get at 3 AM on a Thursday.

The intrusions follow a pattern that security researchers have tracked since early last year, but the payload itself represents a significant escalation. ModeloRAT is not a commodity malware kit scraped off a forum. It is purpose built, modular, and designed specifically to survive the kind of network segmentation that keeps most ransomware gangs at bay. Let me walk you through what is happening right now, how the infection works, and why the usual incident response playbook might not be enough.

The first alerts came in from a midwestern energy utility that noticed anomalous outbound traffic on port 8443. That traffic, it turns out, was ModeloRAT phoning home to a command server hosted behind a residential ISP in Eastern Europe. The initial access vector? A spear phishing email impersonating a vendor safety bulletin. The attachment was a macro enabled Excel sheet that, when opened, pulled a staged payload from a compromised WordPress site.

Here is the part they did not put in the security advisory. The staging infrastructure was not some fresh bulletproof server. It was a legitimate small business website that had been compromised months ago and was being used as a dead drop. This is classic KongTuke operational security. They live in the noise of the internet, not on the dark web.

Under the hood: How ModeloRAT hijacks your domain trust

ModeloRAT distinguishes itself from the crowded field of remote access trojans through a technique that researchers are calling credential relay hijacking. Once the initial dropper executes, ModeloRAT does not immediately beacon out. Instead, it sits silently, enumerating the local Active Directory environment and capturing LSASS process memory to harvest domain credentials.

The trojan then uses those stolen credentials to authenticate to domain controllers and file shares using legitimate Windows APIs. This is not a brute force attack. This is authentication with valid tickets. From a network monitoring perspective, it looks exactly like a system administrator running routine maintenance scripts.

The data exfiltration happens over HTTPS connections that mimic Microsoft Update traffic. The SSL certificates are not self signed either. They are valid certificates issued by a free certificate authority, tied to domains that closely resemble legitimate software update endpoints.

Here is the technical detail that keeps incident responders awake at night. ModeloRAT implements a custom encryption protocol that uses a combination of X25519 key exchange and AES 256 GCM for its command and control traffic. The session keys are ephemeral. Every C2 call uses a fresh key, meaning that if you capture one session, you cannot decrypt the previous one. The malware authors specifically designed this to defeat network forensic analysis.

The persistence mechanism nobody saw coming

KongTuke teams have moved away from traditional registry run keys and scheduled tasks. Instead, ModeloRAT installs itself as a Windows Background Intelligent Transfer Service job. BITS is a legitimate Windows component used for software updates and file transfers. Most security tools treat BITS traffic as benign. The malware creates a BITS job that downloads additional payloads from a remote server and executes them using the BITS command line utility bitsadmin.exe. This technique is notoriously difficult to detect because it uses a signed Microsoft binary to perform the malicious action.

According to reporting from the threat intelligence firm that first identified the campaign, the BITS jobs are configured with low priority and a network bandwidth throttle. This ensures that the malicious activity does not cause network latency spikes that might tip off a network operations center. The malware is patient. It is designed to operate for weeks or months before the adversary decides to move to the next stage.

Privilege escalation through forgotten Windows features

Let us talk about the privilege escalation vector because it is genuinely creative in a way that makes you respect the technical skill of the adversaries while also being furious at Microsoft for leaving this door open. ModeloRAT exploits a feature called Windows Filtering Platform callout drivers. These are kernel mode drivers that can inspect and modify network traffic in real time.

The malware drops a signed, but repurposed, third party driver that has a known vulnerability allowing arbitrary kernel memory reads and writes. Once loaded, the driver gives ModeloRAT SYSTEM level privileges without triggering the typical user account control alerts or Windows Defender detections. The driver is signed with a valid certificate that was stolen from a now defunct software development company. That certificate has not been revoked, which means the driver loads without warning on fully patched Windows 10 and Windows 11 systems.

This is the kind of vulnerability that should be getting emergency patches from Microsoft, but because it relies on a third party driver rather than a Windows component, it falls into a gray area of responsibility. The security community has been asking for better driver blocklist management for years, and KongTuke is exploiting that exact gap right now.

The human cost: Why this campaign is different from ransomware

KongTuke operators are not deploying ransomware. That is a deliberate choice, and it changes the threat calculus dramatically. Ransomware is loud. It encrypts files, triggers alerts, and makes headlines. ModeloRAT is built for quiet, persistent data theft. These are espionage operators, not smash and grab extortionists.

The targets tell the story. The three confirmed compromises involve a regional power utility, a maritime shipping logistics firm, and a manufacturer of industrial control components. All three organizations handle sensitive operational technology data. All three have government contracts. The data being exfiltrated includes network topology diagrams, SCADA system configurations, and employee credential databases.

According to analysis shared by the incident response team working the utility compromise, the attackers accessed a engineering workstation that had direct visibility into the plant's programmable logic controllers. They did not modify any PLC logic, but they did take screenshots of the control dashboards and exfiltrated the configuration files. That is a reconnaissance mission with very specific intelligence objectives.

"This is not about money. This is about mapping critical infrastructure networks for a future operation. The data they are stealing right now will be used to enable a more destructive attack down the line, possibly by a different group entirely." Senior incident responder quoted in the threat intelligence report.

That quote captures the chilling reality of what KongTuke is doing. They are not the final threat actor. They appear to be conducting preliminary network reconnaissance and access brokering. The access they establish with ModeloRAT could be sold or shared with state aligned groups that have offensive cyber capabilities targeting industrial systems.

The exfiltration pipeline nobody is monitoring

Here is something that might make you rethink your data loss prevention strategy. ModeloRAT exfiltrates data using DNS tunneling. The malware encodes stolen data into DNS queries that are sent to authoritative name servers controlled by the attackers. A typical exfiltration query looks something like this: base64encodeddata.attackerdomain.com.

Most organizations do not monitor DNS traffic for data loss. They monitor outbound HTTP, FTP, and email traffic. DNS requests are almost always allowed outbound through firewalls because without DNS, the network stops working. KongTuke is exploiting this fundamental architectural trust. The data is broken into small chunks, encoded in DNS query strings, and sent out over UDP port 53. The volume of DNS queries is kept low enough to avoid triggering threshold based alerts.

The exfiltration rate is slow, roughly 10 to 20 kilobytes per hour, but the malware can run for months. That adds up to gigabytes of stolen data over time. And because DNS traffic is rarely logged and retained for long periods, forensic investigators often find that the historical evidence of the exfiltration has already been overwritten by the time they start looking.

Why your existing defenses will miss KongTuke

Let me be direct with you. If you are relying on signature based antivirus, endpoint detection and response tools that only look for known malware hashes, or network intrusion detection systems that match against static indicators of compromise, you are going to miss ModeloRAT. The malware is compiled with a polymorphic engine that generates a unique binary for every infection. The hashes change hourly. The C2 domains are registered through privacy enabled services and are rotated every 48 hours.

The KongTuke operators have clearly studied how incident response teams operate. They know that the first step in any compromise investigation is to pull memory captures and look for suspicious processes. ModeloRAT specifically checks for the presence of memory analysis tools like Volatility and WinDbg. If it detects one of these tools running, it immediately triggers a self deletion routine that wipes the malware and overwrites the disk sectors where it was stored.

This is an adversary that has built their operation around the specific capabilities and limitations of the commercial security products that dominate the market. They are not breaking the encryption. They are bypassing the detection logic.

The supply chain angle that complicates everything

One of the confirmed infections started at a managed service provider that supports multiple critical infrastructure organizations. The KongTuke group compromised the MSP's remote monitoring and management platform and used it as a distribution channel to deploy ModeloRAT to multiple downstream customers. This is the classic software supply chain attack pattern, and it makes containment nearly impossible.

The MSP had administrative access to all of its customers' networks. Once KongTuke gained control of the MSP's management console, they could deploy ModeloRAT to any customer environment without needing to phish anyone or exploit any additional vulnerabilities. They simply pushed the malware as a legitimate software update through the RMM agent.

"We are looking at a minimum of 40 organizations that could be affected through this single MSP compromise, but we do not have visibility into all of them because the MSP's logs were encrypted by the attackers to hide their tracks." Anonymous source familiar with the investigation.

The MSP itself did not detect the compromise. It was only identified when one of the downstream customers noticed anomalous DNS queries originating from servers that should not have been making external DNS requests. The customer's internal security team traced the queries back to the RMM agent and found that the agent's binary had been replaced with a modified version that included the ModeloRAT payload.

Immediate response steps for security teams

If you are responsible for network security at an organization that could be a target for KongTuke, and if you work in energy, logistics, manufacturing, or government contracting, you should be treating this as an active threat. Here are the specific actions you need to take based on the intelligence available right now.

• Audit all BITS jobs across your Windows environment. Look for BITS jobs that reference external URLs or download executable files. Most legitimate BITS jobs point to Microsoft domains or internal software update servers. Any BITS job pointing to an unfamiliar domain should be treated as a potential indicator.
• Enable DNS query logging on your domain controllers and DNS servers. Retain those logs for at least 90 days. Review them for queries that contain long strings of base64 encoded data in the subdomain portion of the query. Look for queries to domains that were registered within the last 30 days.
• Review all third party drivers loaded on your Windows systems. Use the driverquery command line tool to enumerate loaded kernel drivers and compare them against known good driver hashes. Pay special attention to drivers that are signed but are not from major hardware vendors.
• Implement application control policies that block execution of binaries from user writable directories. ModeloRAT often executes from the AppData or Temp directories. If you cannot enforce application control, at minimum enable Windows Defender Attack Surface Reduction rules that block Office applications from creating child processes.
• Segment your OT networks from your IT networks with strict access control lists. The utility company that was compromised had a jump box that bridged the IT and OT networks. That jump box was the target. If you absolutely must have a bridge between these networks, it should require multi factor authentication for every session and should be logged with full session recording.

What the security vendors are and are not doing

Major antivirus vendors have started adding signatures for the specific ModeloRAT binaries that have been observed in the wild, but the polymorphic engine means those signatures are already outdated. Behavioral detection rules that look for BITS job abuse and LSASS process access are more effective, but they generate high false positive rates that cause security operations centers to tune them down or disable them entirely.

Microsoft has not issued a formal advisory about this campaign as of the time of this writing. The company typically waits for broad industry confirmation before publishing guidance, but the affected organizations cannot afford to wait. The intelligence sharing community, specifically the information sharing and analysis centers for the energy and transportation sectors, have distributed private alerts to their members. If you are not a member of your sector's ISAC, you should join today.

One thing that has frustrated researchers is the lack of a coordinated takedown of the KongTuke command infrastructure. The domains and IP addresses being used by the group are known, but they are spread across multiple jurisdictions, and the legal process for seizing them moves slowly when it moves at all. By the time a takedown order is signed, the operators have already migrated to new infrastructure.

The unanswered questions that should worry you

There are two critical unknowns in this story that keep me up at night. The first is how KongTuke initially compromised the MSP that became the distribution vector for ModeloRAT. If it was a phishing attack, the lesson is to improve security awareness training. But if it was a vulnerability in the RMM platform itself, then every organization using that platform is potentially exposed, and the vendor needs to disclose the vulnerability immediately.

The second unknown is what the ultimate objective is. KongTuke has been operating for at least two years, and this is the first time they have deployed a custom RAT rather than relying on off the shelf tools like Cobalt Strike or Meterpreter. Building a custom RAT requires significant development resources and implies a long term commitment to these targets. You do not build a custom tool like ModeloRAT for a short campaign. You build it for a multi year access operation.

The intelligence community terminology for this kind of preparation is prepositioning. An adversary establishes persistent access to critical networks, maintains it quietly, and then activates it at a time of strategic choosing. The question that nobody can answer right now is what event would trigger that activation. A geopolitical crisis? A conflict in a specific region? A change in government policy? We do not know, and that uncertainty is the most dangerous part of this entire situation.

The timeline of what happened in the last 48 hours

For context on the urgency of this situation, here is the timeline of events as reported by the threat intelligence firm tracking the KongTuke activity.

• Day minus 3: The compromised MSP pushes a software update to its RMM agents across all customer environments. The update appears legitimate and is signed with the MSP's code signing certificate.
• Day minus 2: ModeloRAT begins beaconing from multiple customer environments to the same set of C2 servers. The beacons are low frequency, one every four hours, to avoid detection.
• Day minus 1: A security analyst at one of the downstream customers notices the anomalous DNS queries during a routine log review. The analyst escalates to the incident response team.
• Day 0: Public disclosure of the campaign. The threat intelligence firm publishes its analysis. Multiple organizations begin emergency incident response procedures.

That timeline tells you everything you need to know about the speed of this threat. From initial compromise to public disclosure was roughly 72 hours. In that window, the attackers had already exfiltrated significant amounts of data and established multiple persistence mechanisms. If your organization was compromised in this campaign and you have not detected it yet, the attackers have likely already achieved their objectives.

KongTuke is not going away. The group has demonstrated technical sophistication, operational security discipline, and a clear strategic focus on critical infrastructure. ModeloRAT is the tool they built for this moment. The question now is whether the security community can adapt quickly enough to stop them, or whether this becomes another case study in how persistent adversaries always find a way through. The next 48 hours will tell us a lot about which direction we are heading.

Frequently Asked Questions

What is the name of the custom remote access trojan delivered by KongTuke teams?

The custom remote access trojan delivered by KongTuke teams is called ModeloRAT.

Which sectors are targeted by the current KongTuke campaign according to the article?

The campaign targets organizations in the energy and logistics sectors.

What technique does ModeloRAT use to mimic legitimate network traffic?

ModeloRAT uses credential relay hijacking to authenticate with valid tickets, making its activity look like routine maintenance.

How does ModeloRAT achieve persistence on infected systems?

ModeloRAT installs itself as a Windows Background Intelligent Transfer Service (BITS) job to achieve persistence.

What privilege escalation method does ModeloRAT exploit?

ModeloRAT exploits a Windows Filtering Platform callout driver with a signed, repurposed third-party driver to gain SYSTEM privileges.