A new backdoor dubbed Mistic has been observed in financially motivated attacks targeting organizations in the insurance, education, IT, and professional services sectors.
The malware is believed to be linked to KongTuke/Woodgnat, an initial access broker active since at least 2024 that specializes in compromising corporate networks and selling that access to ransomware groups, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Researchers at cybersecurity company Symantec say that Mistic has been used in intrusions since April.
In at least one incident, it was deployed shortly after ModeloRAT, a backdoor attributed to KongTuke and delivered via social engineering attacks over Microsoft Teams.
Symantec believes that Mistic is a newly developed, stealthy backdoor designed for long-term persistence in compromised networks.
Mistic attack chain
In the attacks investigated by Symantec, the infection started with the launch of the legitimate executable MpExtMs.exe to side-load a malicious DLL named version.dll, which acts as the loader of Mistic (EndpointDlp.dll).
The researchers note that the filename chosen for Mistic resembles Microsoft endpoint security tooling, which may help the malware blend in with trusted software on the host.
A separate .NET DLL is also loaded, which displays a fake login screen to the victim to steal their account credentials.
Once loaded, Mistic communicates with its command-and-control infrastructure and can receive commands from the operator. Symantec lists the following capabilities:
- Upload/download, move, rename, delete files, and create folders
- Modify how frequently Mistic checks for commands from the command-and-control (C2) server
- Execute code received from the C2 directly in memory
- Terminate itself and delete files from the host
According to Symantec’s analysis, Mistic appears to have been designed for stealth, enabling attackers to maintain a persistent foothold within compromised networks over extended periods.
“The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access,” the researchers say.
Symantec does not provide details on how the infection begins, but KongTuke has been known to use ClickFix, and its FileFix and CrashFix variants, since early 2025 to deliver the ModeloRAT malware.
In a technical report this week, cloud security company Zscaler notes that Mistic, which it tracks as MTLBackdoor, was delivered as a payload in a multi-stage ClickFix infection chain in May.
Zscaler researchers say that “one of the most powerful features [in MTLBackdoor] is the ability to load Beacon Object Files (BOFs) to expand its capabilities.”
BOFs are small programs in C that can execute directly in the memory of a command-and-control (C2) process, leaving no footprint on the disk and evading detection of security agents. They are common in red team products, such as Cobalt Strike, for the post-exploitation stage.
Symantec believes that Mistic confirms the observed trend of custom tools being used in ransomware attacks, although the backdoor appears to have been developed by an initial access broker closely connected to the ransomware scene.
KongTuke is known to use multiple other tools, such as the legitimate WinPython and Node.js runtimes to execute malicious code, finger.exe to retrieve obfuscated payloads, the fake NexShield browser extension, the encrypted GateKeeper .NET payload, and the MintsLoader and D3F@ck Loader malware loaders to deliver additional payloads.
Both Zscaler and Symantec reports [1, 2] provide indicators of compromise for the Mistic/MTLBackdoor malware and note that it is a stealthy tool that can expand its functionality.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
