Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

Mistic

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
KongTuke

A new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors.

via bleeping computerbleepingcomputer.com
Woodgnat

Starting in April 2026, Woodgnat has been deploying the new Backdoor.Mistic RAT against the networks of organizations across multiple industries, including education, insurance, IT, and professional services.

via security weeksecurityweek.com
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

Mistic provides attackers with typical capabilities, including ... code execution.

T1204User ExecutionEvidence1

KongTuke has been known to use ClickFix, and its FileFix and CrashFix variants, since early 2025 to deliver the ModeloRAT malware. In a technical report this week, Zscaler notes that Mistic, which it tracks as MTLBackdoor, was delivered as a payload in a multi-stage ClickFix infection chain in May.

Privilege Escalation

1 technique
T1055Process InjectionEvidence1

The backdoor runs payloads in memory with no file written to disk... Zscaler researchers say that 'one of the most powerful features [in MTLBackdoor] is the ability to load Beacon Object Files (BOFs) to expand its capabilities.'

Stealth

3 techniques
T1055Process InjectionEvidence1

The backdoor runs payloads in memory with no file written to disk... Zscaler researchers say that 'one of the most powerful features [in MTLBackdoor] is the ability to load Beacon Object Files (BOFs) to expand its capabilities.'

T1070Indicator RemovalEvidence1

Terminate itself and delete files from the host

T1620Reflective Code LoadingEvidence1

Execute code received from the C2 directly in memory

Credential Access

1 technique
T1649Steal or Forge Authentication CertificatesEvidence1

A separate .NET DLL is also loaded, which displays a fake login screen to the victim to steal their account credentials.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

Once loaded, Mistic communicates with its command-and-control infrastructure and can receive commands from the operator.

T1105Ingress Tool TransferEvidence2

Mistic provides attackers with typical capabilities, including file download and upload... Additional tools observed in the intrusion include ... Certutil ... for ... file download...

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.