A newly detected backdoor, named Mistic, has surfaced in attacks suspected to have financial motives, targeting sectors such as insurance, education, IT, and professional services since April 2026. This stealthy malware, identified by Symantec and Carbon Black, is linked to an initial access broker known as KongTuke, which is associated with several aliases including 404 TDS and Woodgnat.
Link to KongTuke and Operating Mechanisms
The Mistic backdoor, also referred to as MLTBackdoor, is deployed alongside ModeloRAT, a Python-based remote access trojan previously connected to KongTuke. According to cybersecurity experts, Mistic executes payloads in memory without creating disk artifacts and features a self-deletion switch, indicating its design for prolonged, low-profile access.
ModeloRAT was initially detected in January 2026 by Huntress in the context of a ClickFix campaign. This campaign involved a malicious Chrome extension disguised as an ad blocker to crash browsers and execute unauthorized commands under the guise of a security check.
Exploitation Through ClickFix Campaigns
The malware’s deployment method involves exploiting ClickFix campaigns, which execute DNS lookups to retrieve subsequent payloads. Microsoft has described these tactics as using DNS as a subtle staging channel. Zscaler ThreatLabz connected Mistic’s usage in ClickFix to ransomware actors aiming to establish initial access for further network penetration.
Recent reports from Broadcom highlight that the malware employs DLL side-loading, using legitimate Microsoft tools to disguise its presence. This enables the backdoor to perform actions such as file manipulation, command execution, and dynamic capability expansion via Beacon Object Files (BOFs).
Broader Implications and Future Outlook
Symantec and Carbon Black emphasize the opportunistic nature of these attacks, where perpetrators target a broad range of organizations to evaluate potential access sales. KongTuke’s operations, which include a traffic distribution system leveraging compromised websites, continue to evolve. Recent tactics involve phishing via fake Microsoft Teams messages to initiate attacks with ModeloRAT.
The sophistication of Mistic and its association with skilled threat actors like Woodgnat underscore the growing trend of custom tools in ransomware operations. While Mistic appears to be developed by access brokers rather than directly by ransomware groups, it highlights the increasingly complex landscape of cyber threats.
The cybersecurity community remains vigilant, monitoring these developments to mitigate risks and protect targeted industries from future incursions.
