A new backdoor called Mistic has been spotted in financially motivated attacks hitting organizations across insurance, education, IT, and professional services. Researchers at Symantec believe it’s linked to KongTuke — also known as Woodgnat — an initial access broker active since at least 2024 that sells compromised network access to ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
Mistic has been in use since April at least. In one incident, it was deployed shortly after ModeloRAT, another KongTuke tool that arrives through social engineering attacks over Microsoft Teams.
The attack chain starts with a legitimate Windows executable, MpExtMs.exe, which side-loads a malicious DLL called version.dll. That DLL acts as the loader for Mistic (EndpointDlp.dll). The filename is designed to look like Microsoft endpoint security tooling — a trick to help it blend in. A separate .NET DLL displays a fake login screen to steal credentials.
Once running, Mistic can upload, download, move, rename, and delete files, execute code directly in memory, modify its check-in frequency with the C2 server, and terminate itself and wipe files from the host. It runs payloads entirely in memory with nothing written to disk, and includes a kill switch for self-deletion — features consistent with an operator that wants long-term, low-visibility access.
Cloud security firm Zscaler, which tracks the backdoor as MTLBackdoor, notes it was delivered through a multi-stage ClickFix infection chain in May. One of its most powerful features is the ability to load Beacon Object Files (BOFs) — small C programs that execute in the C2 process memory, leaving no disk footprint. BOFs are commonly associated with Cobalt Strike and post-exploitation tooling.
Both Zscaler and Symantec have published indicators of compromise. The backdoor confirms a broader trend of custom tools being developed by initial access brokers embedded in the ransomware ecosystem.
