Mistic Backdoor RAT: New Threat Linked to KongTuke Access Broker

In the modern cyber threat landscape, the division of labor between malicious actors has achieved corporate-grade efficiency. Initial Access Brokers (IABs) serve as the specialized advance guard, penetrating enterprise networks, establishing deep footholds, and subsequently selling high-level access to the highest-bidding Ransomware-as-a-Service (RaaS) operations. On June 24, 2026, researchers from Symantec and Carbon Black disclosed the discovery of a sophisticated remote access trojan (RAT) dubbed the Mistic backdoor. Tracked separately by Zscaler as MLTBackdoor, the malware is heavily linked to Woodgnat (also known as KongTuke, 404 TDS, TAG-124, and Chaya_002)—a highly active initial access broker operating since at least May 2024. The Mistic backdoor represents a critical advancement in Woodgnat’s toolkit, optimizing stealth and persistence in victim networks before their access is commercialized and sold to major ransomware syndicates such as Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Rather than focusing on a single sector, the operators behind the Mistic backdoor cast an exceptionally wide, opportunistic net. Since its deployment in the wild starting around April 2026, researchers have observed the malware targeting diverse global industries, with a particular concentration in the insurance, education, information technology, and professional services sectors. Woodgnat’s primary objective is not to execute immediate disruptive payloads, but to establish highly resilient, long-term persistence that can survive deep forensic scrutiny. This “hold-the-door” philosophy allows the brokers to thoroughly evaluate compromised networks, map out Active Directory architectures, and dictate premium pricing when presenting these pre-compromised victim networks to RaaS affiliates.

Social Engineering Sophistication: The ClickFix and CrashFix Campaigns

The delivery mechanism for Woodgnat-affiliated campaigns has undergone a rapid, calculated evolution. Historically, the group relied on highly successful opportunistic social engineering frameworks under the broader “ClickFix” umbrella. These campaigns abuse victim trust by mimicking technical issues on compromised websites, prompting users to manually copy and execute malicious scripts. The threat group’s initial delivery vectors include several highly sophisticated iterations:

• ClickFix (Early 2025): Attackers deployed fake browser errors or falsified CAPTCHA verification tests on compromised web pages. These pop-ups tricked users into copying a pre-formatted PowerShell script into their clipboard and running it via the Windows Run dialog (Win+R) under the guise of fixing a technical bug or resolving a verification error.
• FileFix (Mid-2025): To bypass detections monitoring the Run dialog, the actors transitioned to the “FileFix” variant. This method instructed users to paste and execute malicious commands directly inside the Windows File Explorer address bar, exploiting an overlooked system administration shortcut.
• CrashFix (Early 2026): The most recent and aggressive variation, dubbed CrashFix, relies on malicious Google Chrome extensions to force browser instability. In these intrusions, the threat actors distributed a malicious extension called NexShield (falsely marketed as “NexShield — Advanced Web Guardian” or a legitimate ad-blocking tool like uBlock Origin Lite) via malvertising and compromised WordPress sites. Once installed, NexShield purposefully crashes the victim’s web browser. The victim is then presented with an elaborate fake error page containing step-by-step troubleshooting instructions. These instructions direct the user to open a Windows terminal and paste an obfuscated PowerShell snippet, which launches a multi-stage PowerShell chain to pull down the next-stage payload.

In addition to browser-level lures, investigators have observed KongTuke leveraging Microsoft Teams as an attack vector, showcasing their versatility in exploiting modern collaboration channels. These social engineering vectors often chain multiple system processes to evade basic antivirus detection. For example, attackers have abused Node.exe (the legitimate Node.js runtime) as a script host to execute malicious JavaScript, which in turn orchestrates follow-on PowerShell commands. To retrieve obfuscated payloads silently from remote staging servers, the actors historically leveraged Finger.exe, a legacy, living-off-the-land Windows binary that administrators rarely monitor for outbound internet traffic.

Technical Analysis of the Mistic Backdoor Execution Chain

Once the initial PowerShell script runs, the threat actors avoid typical, noisy installation procedures that would trigger Endpoint Detection and Response (EDR) alerts. Instead, the Mistic backdoor employs a stealthy, multi-layered DLL side-loading technique designed to blend in with trusted system software. This execution chain is characterized by several highly optimized evasion mechanisms:

1. Abusing Trusted Binaries: The execution begins with the launch of a legitimate, digitally signed Microsoft executable named MpExtMs.exe. Because this binary is historically associated with Microsoft Defender and endpoint-security operations, most endpoint security agents treat its execution as inherently safe.
2. The Loader Phase: Upon execution, MpExtMs.exe attempts to load a standard dynamic link library (DLL) called version.dll. The attackers place a malicious, custom-crafted version.dll within the same directory as the executable. This malicious loader utilizes API hooking, specifically targeting system APIs like GetModuleFileNameW and LoadLibraryW. This hooking ensures that the legitimate path of the binary is preserved to satisfy operating system checks while forcing the system to load the malicious backdoor payload.
3. Masquerading Payload Names: The version.dll loader subsequently decrypts and loads the core backdoor, which is packaged under the name EndpointDlp.dll. By choosing this name, the actors mimic official Microsoft Endpoint Data Loss Prevention software. An analyst reviewing active processes or loaded DLLs in a noisy environment is highly likely to dismiss EndpointDlp.dll as a legitimate administrative tool.

To further reduce forensic footprints, the Mistic backdoor is designed to run its payload execution entirely in volatile memory. It does not write its decrypted operational files to disk, leaving incident responders with virtually no physical disk artifacts to analyze. Additionally, the developers built a specialized “kill switch” mechanism into the malware. If the threat actors sense detection or decide to abandon the host, they can issue a command to terminate the active process, purge memory-resident buffers, and cleanly erase all secondary trace elements from the victim’s host.

Post-Compromise Operations: Signaling, Credential Theft, and ModeloRAT

Once active on a host, the Mistic backdoor serves as a robust foundation for extensive post-exploitation activity. Rather than using standard HTTP/S beaconing, which is frequently scrutinized by network firewalls, the malware utilizes Domain Name System (DNS) query lookup chains. This technique uses DNS requests as a lightweight, low-signature staging and signaling channel. By encoding commands and data within subdomains of attacker-controlled DNS zones, the backdoor can receive next-stage instructions and exfiltrate minor data segments while bypassing traditional protocol-filtering firewalls.

The capabilities of the Mistic backdoor allow operators to perform standard and advanced remote access activities, including:

• Uploading, downloading, moving, renaming, and deleting files across the local and network filesystems.
• Creating directory structures to organize exfiltrated data or staging files.
• Dynamically adjusting the beaconing frequency at which the backdoor checks in with its command-and-control (C2) server.
• Executing arbitrary code directly within memory, which Zscaler noted includes the ability to load Beacon Object Files (BOFs) to rapidly expand post-compromise capabilities without triggering disk write alarms.

In documented intrusions, Woodgnat has deployed Mistic alongside a specialized suite of helper utilities. To capture administrative access, the actors load a companion .NET DLL designed to display convincing, fake login screens. This credential harvester tricks users into entering their domain credentials, which are immediately exfiltrated to the attackers’ infrastructure. Alongside Mistic, threat hunters have detected the presence of ModeloRAT, a Python-based remote access trojan also attributed to Woodgnat. Typically delivered in a portable WinPython package and executed via a signed pythonw.exe, ModeloRAT relies on RC4-encrypted C2 communications and multiple failover domains to guarantee uninterrupted access. To facilitate lateral movement, registry manipulation, and data exfiltration, the operators aggressively utilize legitimate administrative utilities (living-off-the-land techniques), including:

• Curl and Certutil for downloading secondary binaries and exfiltrating data.
• Reg.exe for registry manipulation and privilege escalation.
• Net.exe (Net) for mapping local networks and discovering network resources.
• PowerShell and WMIC (Windows Management Instrumentation Command-line) for remote code execution and deep system reconnaissance.

Enterprise Mitigation and Defensive Posture

Defending against an evasive threat like the Mistic backdoor requires a defense-in-depth security posture that addresses both the initial social engineering vectors and the subsequent execution and persistence phases. Organizations should implement the following targeted mitigation strategies:

• Browser Extension Controls: Because ClickFix and CrashFix campaigns rely heavily on malicious browser extensions like NexShield