A new backdoor called Mistic has been used since April in financially motivated attacks against organizations in the insurance, education, IT and professional services sectors, with researchers linking it to the KongTuke or Woodgnat access broker that sells network access to ransomware groups.
KEY FACTS
- Targets Insurance, education, IT and professional services organizations
- Link The malware is associated with KongTuke, an access broker active since at least 2024
- Use It was deployed after ModeloRAT in at least one incident
- Capabilities It can upload and download files, run code in memory and delete itself
Symantec said the backdoor is designed for long-term persistence and uses stealth features to stay hidden in compromised networks. In one infection chain, the attack began with MpExtMs.exe loading a malicious DLL named version.dll, which then acted as the loader for Mistic, also tracked as EndpointDlp.dll.
A separate .NET DLL displays a fake login screen to steal credentials. Once active, the malware communicates with command-and-control servers and can adjust its check-in frequency, execute code received from the server in memory, and terminate itself while deleting files from the host.
The researchers said the backdoor runs payloads in memory with no file written to disk and includes a kill switch. Zscaler, in a technical analysis, said it tracks the malware as MTLBackdoor and saw it delivered in a multi-stage ClickFix infection chain in May.
The report also said Mistic can load Beacon Object Files, or BOFs, which are small programs that run directly in memory of a command-and-control process. KongTuke has previously used ClickFix and related methods to deliver other payloads, along with tools such as WinPython, Node.js, finger.exe, the fake NexShield browser extension and encrypted loaders.
WHY IT MATTERS
The findings suggest attackers are using custom, low-visibility tools to keep access to corporate networks and support later ransomware activity. The malware’s in-memory execution and self-deletion features can make detection and cleanup more difficult for defenders.