Mistic Backdoor Tied to KongTuke Access Broker Supplying Ransomware Crews
Researchers have identified a stealthy new backdoor, Mistic—also tracked as MTLBackdoor and Backdoor.Mistic—in financially motivated intrusions targeting organizations in the insurance, education, IT, and professional services sectors. Symantec said the malware has been used since April and is likely linked to the initial access broker KongTuke/Woodgnat, which has been associated with selling enterprise access to ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. In one intrusion, Mistic appeared alongside Woodgnat's previously documented ModeloRAT, strengthening the attribution.
Mistic was observed being loaded through DLL side-loading via the legitimate MpExtMs.exe process with a malicious version.dll, while a separate .NET DLL displayed a fake login screen to steal credentials. The malware supports file operations, configurable beaconing, in-memory payload execution, and a self-delete function designed to reduce forensic visibility and maintain long-term access. Zscaler also reported Mistic in a multi-stage ClickFix infection chain and said it can load Beacon Object Files to expand post-exploitation capabilities without writing artifacts to disk, underscoring its role as a stealthy access tool in ransomware-linked intrusions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Symantec publicly reports the new Mistic backdoor
On June 24, 2026, Symantec published research on Backdoor.Mistic, detailing its DLL side-loading via MpExtMs.exe, in-memory execution, credential theft via a fake login screen, and self-delete capability, and assessing a likely link to KongTuke/Woodgnat.
Zscaler observes Mistic in a ClickFix infection chain
Zscaler separately observed Mistic in a multi-stage ClickFix infection chain in May 2026 and noted that it could load Beacon Object Files to extend post-exploitation capabilities without leaving disk artifacts.
Mistic observed shortly after ModeloRAT in one intrusion
In at least one intrusion, Mistic appeared shortly after ModeloRAT, a backdoor previously attributed to KongTuke/Woodgnat, supporting Symantec's assessment of a likely link between the malware and the access broker.
Mistic backdoor begins appearing in intrusions
Symantec reported that the stealthy Mistic backdoor has been used in financially motivated intrusions since April 2026 against organizations in the insurance, education, IT, and professional services sectors.
KongTuke/Woodgnat becomes active as an access broker
Symantec assessed that KongTuke, also tracked as Woodgnat, has been active since at least 2024 compromising corporate networks and selling access to multiple ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection
cybersecuritynews.com
Open sourceNew 'Mistic' RAT Opens Door to Several Ransomware Families - SecurityWeek
securityweek.com
Open sourceStealthy Mistic backdoor linked to ransomware access broker KongTuke
bleepingcomputer.com
Open sourceBackdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker | SECURITY.COM
security.com
Open sourceBackdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker | SECURITY.COM
security.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
MLTBackdoor Uses ClickFix Lures and DLL Sideloading to Evade Analysis
Researchers detailed **MLTBackdoor**, a newly identified backdoor assessed as likely linked to a ransomware-related threat actor, delivered through a multi-stage **ClickFix** social-engineering chain. Victims are lured from an automotive-themed webpage into running commands that fetch a disguised archive from a **DGA-generated domain**, decrypt an `RC4`-protected payload, and install the malware through **DLL sideloading** with the signed Microsoft Defender binary `mpextms.exe`. Zscaler said one generated domain, `hrs2y15sungu[.]com`, was used for both payload delivery and command-and-control traffic. The malware is built to resist detection and analysis, using heavy LLVM-based obfuscation, mixed boolean-arithmetic, control-flow flattening, stack-built strings, API hashing, and Hell's Gate-style indirect system calls; researchers said roughly **95%** of the code consists of junk mathematical operations. Rather than exiting when it detects analysis environments, MLTBackdoor performs **10 anti-analysis checks** for virtualization, sandboxing, debugging, and limited system resources, then reports the resulting bitmask to its operators. It communicates over **TLS** on port `443` using a custom binary protocol at `/api/v1/telemetry` with a `Microsoft-Delivery-Optimization/10.1` user agent, derives `AES-256-GCM` session keys via `ECDH` on `NIST P-256`, and includes file-management features plus a **Beacon Object File loader** that expands post-exploitation capability in memory.
Jun 16, 2026
Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple **social-engineering-driven malware delivery** efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed **counterfeit adult games** via popular “webhard” file-sharing services; victims received a ZIP containing a decoy `Game.exe` launcher that stages additional components (`Data1.Pak`, `Data2.Pak`, `Data3.Pak`) and ultimately injects **QuasarRAT** (aka **xRAT**), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as `GoogleUpdate.exe` and `WinUpdate.db`, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection. Separately, a spear-phishing campaign weaponized news about a purported **Nicolás Maduro arrest** to deliver a **backdoor**: emails carried a ZIP with a lure executable (`Maduro to be taken to New York.exe`) alongside a malicious DLL (`kuguo.dll`) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to `C:\ProgramData\Technology360NB`, persistence via an auto-start renamed binary (`DataTechnology.exe`), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with **Mustang Panda** but said attribution was not yet confirmed. A separate research note described **GravityRAT** reemerging as a multi-platform RAT with expanded **Android** targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
Mar 21, 2026
Threat actors abuse shortcut files and legitimate RMM tools to gain persistent access to Windows systems
Threat actors are increasingly relying on *living-off-the-land* techniques and trusted tooling to establish persistent access on Windows endpoints. One campaign used weaponized Windows shortcut (`.LNK`) files disguised as investment-related PDFs to deliver **MoonPeak**, a remote access trojan assessed as a **XenoRAT** variant and linked to North Korea–aligned activity targeting South Korean investors and cryptocurrency traders. Opening the `.LNK` launches an obfuscated PowerShell-driven, multi-stage infection chain while displaying a decoy PDF; analysis also tied payload hosting to attacker-controlled GitHub repositories, reflecting “Living Off Trusted Sites (LOTS)” tradecraft. A separate dual-wave intrusion chain used phishing emails masquerading as *Greenvelope* invitations to steal webmail credentials (e.g., Outlook, Yahoo, AOL), then used the compromised accounts to register for and silently deploy **LogMeIn Resolve** (formerly *GoTo Resolve*) for persistent remote access. The installer (`GreenVelopeCard.exe`) was described as signed and configured to connect to attacker-controlled infrastructure, with follow-on actions including modifying service settings for elevated access and creating hidden scheduled tasks for resilience. Related threat intelligence reporting also highlighted broader “rogue RMM” abuse trends, including **Remcos** and **NetSupport Manager** delivery via paste-and-run lures and PowerShell/`cmd` execution chains (including use of the `finger` utility to fetch remote payloads), underscoring that adversaries are operationalizing legitimate remote administration software as a stealthy backdoor mechanism.
Mar 21, 2026