ModeloRAT Windows RAT deployment with RC4 C2 and Registry persistence
Malware Activity
Summary
Hide ▲
Show ▼
The KongTuke operation is deploying ModeloRAT, a Python-based Windows RAT that gives attackers persistent remote control over infected systems. It communicates through RC4-encrypted C2 and can execute binaries, DLLs, Python scripts, and PowerShell commands. The implant also writes Registry persistence and supports self-update and termination commands. That combination raises the risk of durable compromise on Windows endpoints.
Related Happenings
DEEP#DOOR Python backdoor framework
Malware Activity
First: 30.04.2026 15:36
Last: 30.04.2026 15:36
Sources 1
About this happening:
**DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
DEEP#DOOR Python backdoor framework
Malware ActivityAbout this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware Activity
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware ActivityAbout this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
EDR killer abusing EnPortv.sys to disable 59 security tools
Malware Activity
First: 04.02.2026 16:17
Last: 04.02.2026 16:17
Sources 1
About this happening:
A custom **EDR killer** abused **EnPortv.sys** to disable endpoint security tools on infected Windows hosts, creating a window for follow-on intrusion activity. The 64-bit executa...
EDR killer abusing EnPortv.sys to disable 59 security tools
Malware ActivityAbout this happening: A custom **EDR killer** abused **EnPortv.sys** to disable endpoint security tools on infected Windows hosts, creating a window for follow-on intrusion activity. The 64-bit executa...
Mustang Panda multi-country espionage campaign against government and telecom targets
Campaign
First: 28.01.2026 13:40
Last: 28.01.2026 13:40
Sources 1
About this happening:
A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
Mustang Panda multi-country espionage campaign against government and telecom targets
CampaignAbout this happening: A **Mustang Panda** espionage campaign targeted **government entities** across **Myanmar, Mongolia, Malaysia, and Russia**, showing sustained multi-country activity from **2021-20...
BeaverTail and InvisibleFerret backdoor delivery via malicious VS Code task abuse
Malware Activity
First: 20.01.2026 20:41
Last: 20.01.2026 20:41
Sources 1
About this happening:
**North Korean** threat actors tied to **Contagious Interview** are using **malicious Visual Studio Code (VS Code) tasks** and injected code in **compromised developer repositorie...
BeaverTail and InvisibleFerret backdoor delivery via malicious VS Code task abuse
Malware ActivityAbout this happening: **North Korean** threat actors tied to **Contagious Interview** are using **malicious Visual Studio Code (VS Code) tasks** and injected code in **compromised developer repositorie...
Latest development: 22.04.2026 17:48
North Korean actor Void Dokkaebi, aka Famous Chollima, is turning the Contagious Interview fake-job lure into a self-propagating software supply-chain infection that abuses compromised developer repositories, malicious VS Code tasks, and injected code to spread malware and steal credentials. The campaign targets developers seeking work, can hide a poisoned .vscode folder in committed code, and Trend Micro said it found more than 750 infected code repositories, more than 500 malicious VS Code task configurations, and 101 commit-tampering instances in March.
Timeline
-
19.01.2026 11:09 2 articles · 4mo ago
CrashFix campaign disclosure
Initial DisclosureResearchers disclosed an ongoing KongTuke campaign dubbed CrashFix that uses a malicious Google Chrome extension on the Official Chrome Web Store to masquerade as an ad blocker, crash the browser with ClickFix-like lures, and deliver ModeloRAT as a next-stage payload.
Show sources
- CrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures — thehackernews.com — 19.01.2026 11:09
- Fake ad blocker extension crashes the browser for ClickFix attacks — www.bleepingcomputer.com — 20.01.2026 00:49