New Stealthy Mistic Backdoor Tied to Ransomware Access Broker KongTuke

Post Views: 6

Stealthy Mistic backdoor linked to ransomware access broker KongTuke, a newly identified malware component deployed in targeted cyberattacks since April 2026.

Overview of Mistic and KongTuke

Stealthy Mistic, a recently identified malware component, has been detected in targeted cyberattacks against entities in the insurance, education, IT, and professional services industries. This malicious tool is associated with KongTuke/Woodgnat, an initial access broker active since 2024 that specializes in breaching corporate networks and selling access to ransomware groups such as Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Attack Chain and Deployment

Security researchers at Symantec report that Mistic has been deployed in intrusions since April 2026. In one instance, it was deployed following the delivery of ModeloRAT, a backdoor linked to KongTuke and distributed via social engineering attacks over Microsoft Teams.

Symantec’s Report

“Mistic is a newly developed backdoor designed for prolonged presence within compromised systems.”

The attack chain begins with the execution of a legitimate Microsoft utility, MpExtMs.exe, which is used to load a malicious DLL called version.dll. This DLL serves as a loader for Mistic, which is named EndpointDlp.dll. The file name mimics Microsoft’s endpoint security tools, aiding in evasion of detection.

Key Functionalities of Mistic

Mistic connects to command-and-control (C2) infrastructure and executes commands from attackers. Key functionalities include file manipulation, execution of code in memory, and self-erasure capabilities. The malware operates without writing files to disk, reducing its digital footprint. It also features a kill switch that allows operators to delete traces of its presence.

Zscaler’s Analysis

“Zscaler’s analysis of Mistic, tracked as MTLBackdoor, reveals it was part of a multi-stage ClickFix infection chain in May 2026.”

The malware’s ability to load Beacon Object Files (BOFs) enhances its capabilities, allowing execution of memory-based code without leaving disk artifacts. BOFs, commonly used in red team operations like Cobalt Strike, enable post-exploitation activities while evading traditional detection methods.

Security Recommendations

Security teams are advised to monitor for signs of Mistic activity, including unusual network traffic to known C2 domains and unauthorized file modifications. The integration of memory-resident malware and evasion tactics underscores the need for advanced detection strategies, such as behavioral analysis and endpoint detection and response (EDR) solutions.

Organizations must prioritize proactive threat hunting and regular system audits to mitigate risks posed by sophisticated adversaries. Symantec and Zscaler have published indicators of compromise (IOCs) for Mistic/MTLBackdoor, emphasizing its stealth and adaptability.

Additional Threat Actor Tactics

Threat actors associated with KongTuke also employ techniques like obfuscated payloads via finger.exe, fake browser extensions, and encrypted malware components to maintain persistence. The malware leverages legitimate tools such as WinPython and Node.js runtimes, as well as custom loaders like MintsLoader and D3F@ck Loader, to deliver additional payloads.