A newly discovered backdoor, known as Mistic, has been targeting corporate systems since April 2026 by masquerading as legitimate Microsoft endpoint security tools. This strategy allows it to operate undetected, granting attackers a discreet presence within compromised networks.
Impact on Various Industries
Industries such as insurance, education, IT, and professional services have been affected by Mistic’s attacks. The method employed by the attackers is opportunistic, targeting a broad range of networks and selecting those that offer the highest value for sale. These access points are then sold to ransomware groups and other cybercriminal organizations, facilitating further unauthorized intrusions into enterprise systems.
Connection to the Woodgnat Group
Security company Symantec has linked Mistic to a financially driven cybercrime group called Woodgnat, also known as KongTuke. In a report shared with Cyber Security News, Symantec’s Threat Hunter Team revealed that Mistic is often deployed alongside ModeloRAT, a remote access tool associated with various cyberattacks. Zscaler, another security firm, had previously documented Mistic, referring to it as MLTBackdoor, while Symantec’s research reinforced its association with Woodgnat’s expanding arsenal.
Advanced Evasion Techniques
Mistic’s ability to remain undetected is largely due to its execution entirely in memory, leaving no trace on disk, and possessing a self-destruct mechanism that erases it when necessary. This sophisticated evasion makes it challenging for security teams to identify and remove the threat. The backdoor utilizes a technique called DLL sideloading, where a legitimate executable is altered to load a malicious DLL. In these cases, a Microsoft file named MpExtMs.exe was used to load a harmful DLL called EndpointDlp.dll, closely mimicking legitimate security processes.
Further complicating detection, a loader named version.dll redirects execution to the malicious DLL while maintaining the appearance of normal operations. Additionally, a separate .NET DLL acts as a credential stealer, displaying fake login prompts to capture user credentials.
Woodgnat’s Evolving Tactics
Operating since at least May 2024, Woodgnat has continuously refined its tactics. The group exploits WordPress vulnerabilities and injects JavaScript to profile users, employing social engineering tactics to trick individuals into running malicious commands. Their methods have evolved from ClickFix and FileFix to a newer tactic known as CrashFix, which crashes browsers and prompts victims to install malware as a ‘fix’.
Since April 2026, Woodgnat has also used fake IT support chats via Microsoft Teams to persuade users to execute PowerShell commands. This launches a series of scripts that install a portable Python environment and ModeloRAT, allowing attackers to conduct surveillance, harvest credentials, and establish multiple persistence mechanisms. This layered strategy ensures the group remains challenging to eliminate even after detection.
Recommendations for Defense
Security experts advise monitoring for unusual DLL sideloading activities, especially when legitimate Microsoft executables are involved. Organizations should also be vigilant about unusual use of Windows tools like curl.exe and PowerShell outside normal operations. Enhancing endpoint detection to focus on in-memory execution and observing anomalous network behavior are among the recommended defenses against this threat.
Security teams are urged to remain alert to the evolving tactics of cybercriminals and adapt their defenses accordingly, ensuring they can effectively respond to and mitigate threats like the Mistic backdoor.
