Stealthy Mistic backdoor linked to ransomware access broker KongTuke

A brand new backdoor known as Mistic has been noticed in financially motivated assaults concentrating on organizations within the insurance coverage, training, IT, {and professional} providers sectors.

The malware is believed to be associated to KongTuke/Woodgnat, an early entry dealer that has been energetic since not less than 2024. This dealer focuses on compromising company networks and promoting entry to ransomware teams akin to Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Researchers at cybersecurity agency Symantec say Mistic has been used within the intrusions since April.

In not less than one incident, this was a backdoor by KongTuke, deployed shortly after ModeloRAT, which was delivered through a social engineering assault through Microsoft Groups.

Symantec believes Mistic is a newly developed stealth backdoor designed to persist for lengthy durations of time on compromised networks.

mystic assault chain

The assault investigated by Symantec began the an infection by launching a legit executable file, MpExtMs.exe, and sideloading a malicious DLL named model.dll, which acts as a loader for Mistic (EndpointDlp.dll).

Researchers observe that the file identify chosen for Mistic is much like Microsoft’s endpoint safety instruments, which might assist the malware mix into trusted software program on the host.

One other .NET DLL can be loaded to indicate the sufferer a pretend login display and steal account credentials.

As soon as loaded, Mistic can talk with the command and management infrastructure and obtain instructions from operators. Symantec lists the next options:

• Add/obtain information, transfer, rename, delete, create folders
• Change how usually Mistic checks for instructions from the command and management (C2) server.
• Executes the code acquired from C2 instantly in reminiscence.
• Terminates itself and deletes information from host

In line with Symantec’s evaluation, Mistic seems to be designed with stealth in thoughts, permitting attackers to keep up a persistent foothold inside a compromised community for an prolonged time frame.

“The backdoor executes its payload in reminiscence with out writing information to disk and has a kill swap that permits it to delete itself, a function in line with operators in search of long-term, low-visibility entry,” the researchers mentioned.

Though Symantec has not offered particulars on how infections start, KongTuke is understood to have been utilizing ClickFix and its variants FileFix and CrashFix to distribute ModeloRAT malware since early 2025.

In a technical report this week, cloud safety agency Zscaler notes that Mistic, which it tracks as MTLBackdoor, was delivered because the payload of a multi-step ClickFix an infection chain in Might.

Zscaler researchers say, “One in every of[MTLBackdoor’s]strongest options is the flexibility to load beacon object information (BOFs) to increase its performance.”

BOF is a small C program that may run instantly within the reminiscence of a command-and-control (C2) course of, leaving no footprint on disk and avoiding detection by safety brokers. These are frequent in post-exploit stage crimson crew merchandise akin to Cobalt Strike.

Though Symantec believes Mistic helps the noticed development of customized instruments being utilized in ransomware assaults, the backdoor seems to have been developed by an early entry dealer with shut ties to the ransomware scene.

KongTuke is understood to make use of a number of different instruments, together with legit WinPython and Node.js runtimes to execute malicious code, Finger.exe to retrieve obfuscated payloads, pretend NexShield browser extensions, encrypted GateKeeper .NET payloads, and MintsLoader and D3F@ck Loader malware loaders to ship extra payloads.

Each Zscaler and Symantec reviews (1, 2) present proof of compromise of the Mistic/MTLBackdoor malware and level out that it’s a stealth instrument with prolonged performance.