MLTBackdoor Uses ClickFix Lures and DLL Sideloading to Evade Analysis
Researchers detailed MLTBackdoor, a newly identified backdoor assessed as likely linked to a ransomware-related threat actor, delivered through a multi-stage ClickFix social-engineering chain. Victims are lured from an automotive-themed webpage into running commands that fetch a disguised archive from a DGA-generated domain, decrypt an RC4-protected payload, and install the malware through DLL sideloading with the signed Microsoft Defender binary mpextms.exe. Zscaler said one generated domain, hrs2y15sungu[.]com, was used for both payload delivery and command-and-control traffic.
The malware is built to resist detection and analysis, using heavy LLVM-based obfuscation, mixed boolean-arithmetic, control-flow flattening, stack-built strings, API hashing, and Hell's Gate-style indirect system calls; researchers said roughly 95% of the code consists of junk mathematical operations. Rather than exiting when it detects analysis environments, MLTBackdoor performs 10 anti-analysis checks for virtualization, sandboxing, debugging, and limited system resources, then reports the resulting bitmask to its operators. It communicates over TLS on port 443 using a custom binary protocol at /api/v1/telemetry with a Microsoft-Delivery-Optimization/10.1 user agent, derives AES-256-GCM session keys via ECDH on NIST P-256, and includes file-management features plus a Beacon Object File loader that expands post-exploitation capability in memory.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
ThreatLabz identifies newly discovered MLTBackdoor in May 2026
Zscaler ThreatLabz identified a newly discovered backdoor dubbed MLTBackdoor in May 2026 and assessed it as likely linked to a ransomware-related threat actor. The malware was observed delivered through a multi-stage ClickFix infection chain ending in DLL sideloading via the signed Microsoft Defender binary mpextms.exe.
ThreatLabz publishes technical analysis of MLTBackdoor
Zscaler published a technical analysis detailing MLTBackdoor's ClickFix delivery chain, LLVM-based obfuscation, anti-analysis checks, custom TLS-based C2 protocol, and Beacon Object File loader capabilities. The report also documented use of DGA-generated domains and hardcoded C2 infrastructure.
MLTBackdoor C2 and distribution domain generated for April 29, 2026
ThreatLabz reported that the domain hrs2y15sungu[.]com, generated for April 29, 2026 by MLTBackdoor's date-based DGA, was used both to distribute the malware and for command-and-control communications.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
MLTBackdoor Malware Family Fuels Ransomware Attacks
securityonline.info
Open sourceHackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain
cybersecuritynews.com
Open sourceTechnical Analysis of MLTBackdoor | Community Portal | Gurucul
community.gurucul.com
Open sourceTechnical Analysis of MLTBackdoor | ThreatLabz
zscaler.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
LNK-Based Malware Campaigns Deliver PlugX and Custom .NET RAT
Researchers documented two separate but related **LNK-driven intrusion chains** that used shortcut files as the initial lure to fetch additional malware from attacker-controlled infrastructure. In one campaign targeting organizations in the **Arabian Gulf region**, a China-nexus threat actor used a Middle East conflict-themed ZIP archive containing an LNK file that downloaded a malicious CHM file and ultimately deployed a **PlugX** backdoor. The infection chain progressed through a second LNK, a TAR archive, DLL sideloading, and a shellcode loader before installing PlugX with persistence under a fake Microsoft Display Broker path and service name. The malware used RC4-encrypted components, API hooking, reflective DLL loading, corrupted PE headers, and support for **TCP, HTTPS, UDP, and DoH** communications, with a decrypted command-and-control endpoint at `91.193.17[.]117:443` and plugins for keylogging, shell access, screen capture, registry, service, and network operations. A second investigation exposed a live **LNK-to-DLL-to-.NET RAT** operation staged from an open Apache directory on `wildishadventure[.]com/secure9/` and `171.22.182[.]231/secure9/`, where researchers recovered weaponized LNK files, custom DLL downloaders, backup files, and a final payload named `RemoteMgmt.Agent.exe`. That chain abused the legacy `ActiveXObject('htmlfile')` technique to force Windows to retrieve DLLs over UNC paths, then delivered a custom .NET 4.8 remote access trojan that supported command execution, token-based authentication, JSON-over-raw-TCP C2 over port 443, reconnect-based persistence, and logging to `%TEMP%\rmgmt_agent.log`. Operational security failures including exposed directory indexing, `.old` backups, test builds, and unstripped internal names allowed investigators to reconstruct the malware’s development workflow and identify infrastructure spanning **BlueVPS**, **Namecheap**, and **Cloudflare**.
Apr 25, 2026
ClickFix Social Engineering Drives Multi-Platform Malware Delivery
Security researchers reported multiple active campaigns using **ClickFix** social engineering—fake error dialogs or verification prompts that trick users into manually running attacker-supplied commands—to bypass browser and download protections and establish an initial foothold. In one enterprise case investigated by **CERT Polska (cert.pl)**, victims were lured via compromised websites showing a fake CAPTCHA/“fix” prompt that instructed them to paste and run a **PowerShell** command via `Win+R`; the script then downloaded a dropper and enabled rapid follow-on activity that can scale to **enterprise-wide compromise**, including deployment of secondary malware such as **Latrodectus** and **Supper** for data theft, lateral movement, and potential ransomware staging. A separate ClickFix operation targeted **macOS developers** by cloning the *Homebrew* site on typosquatted infrastructure; the “install” command was subtly altered to fetch content from `raw.homabrews.org` instead of `raw.githubusercontent.com`, leading to **Cuckoo Stealer** deployment and credential harvesting via repeated password prompts using macOS Directory Services, with related domains tied to shared hosting at **`5.255.123.244`**. ClickFix was also observed as the initial execution mechanism for the resurfaced **Matanbuchus 3.0** MaaS loader, which uses deceptive copy/paste prompts and **silent MSI** execution (via `msiexec`) to deliver a new payload, **AstarionRAT**, enabling capabilities including credential theft and **SOCKS5** proxying; operators were reported to move laterally quickly (including toward domain controllers), consistent with ransomware or data-exfiltration objectives.
Mar 21, 2026
Mistic Backdoor Tied to KongTuke Access Broker Supplying Ransomware Crews
Researchers have identified a stealthy new backdoor, **Mistic**—also tracked as **MTLBackdoor** and **Backdoor.Mistic**—in financially motivated intrusions targeting organizations in the insurance, education, IT, and professional services sectors. Symantec said the malware has been used since April and is likely linked to the initial access broker **KongTuke**/**Woodgnat**, which has been associated with selling enterprise access to ransomware groups including **Qilin, Interlock, Rhysida, Akira, 8Base,** and **Black Basta**. In one intrusion, Mistic appeared alongside Woodgnat's previously documented **ModeloRAT**, strengthening the attribution. Mistic was observed being loaded through **DLL side-loading** via the legitimate `MpExtMs.exe` process with a malicious `version.dll`, while a separate .NET DLL displayed a fake login screen to steal credentials. The malware supports file operations, configurable beaconing, in-memory payload execution, and a self-delete function designed to reduce forensic visibility and maintain long-term access. Zscaler also reported Mistic in a multi-stage **ClickFix** infection chain and said it can load **Beacon Object Files** to expand post-exploitation capabilities without writing artifacts to disk, underscoring its role as a stealthy access tool in ransomware-linked intrusions.
Jun 24, 2026