New stealth backdoor targets multiple sectors in cyberattacks
▼ Summary
– A new backdoor named Mistic, active since April 2026, has targeted organizations in insurance, education, IT, and professional services sectors.
– Mistic is linked to the financially motivated initial access broker Woodgnat, which sells remote access to ransomware affiliates.
– The backdoor is stealthily loaded via a legitimate file (MpExtMs.exe) and a DLL named EndpointDlp.dll to blend in with trusted software.
– Mistic’s capabilities include file operations, in-memory code execution, and a self-removal kill switch, enabling long-term stealthy access.
– Attackers also deployed ModeloRAT and used legitimate tools like Curl, PowerShell, and WMIC to further compromise systems.
A stealthy new backdoor known as Mistic has been actively deployed in cyberattacks since April 2026, targeting the insurance, education, IT, and professional services sectors, according to Symantec researchers.
The malware is linked to Woodgnat, also tracked as KongTuke, a financially motivated initial access broker (IAB) that has been active since at least May 2024. Woodgnat has been connected to major ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
“Woodgnat reportedly functions primarily as an IAB. Its goal is not to deliver the final payload, but to establish highly durable remote access within an enterprise and sell this high-level access to ransomware affiliates and other attackers for a fee,” the researchers explained.
Earlier this month, Zscaler documented the same backdoor under the name MLTBackdoor.
In one observed intrusion, Mistic was deployed alongside ModeloRAT, a Python-based remote access trojan developed by Woodgnat. Huntress first reported on ModeloRAT in January 2026 during an investigation into a ClickFix campaign called CrashFix. That campaign used a malicious Chrome extension named NexShield, disguised as an ad blocker, to intentionally crash victims’ browsers and trick them into running PowerShell commands that ultimately delivered ModeloRAT.
“Mistic was side-loaded through MpExtMs.exe, a legitimate file, and loaded from a DLL named EndpointDlp.dll, a name associated with Microsoft endpoint-security tooling. This would help the backdoor blend in with trusted software,” researchers noted.
Attackers also loaded a . NET DLL on the victim network that displayed a fake login screen to steal credentials entered by users.
Once installed, Mistic communicates with its command-and-control (C2) infrastructure and awaits instructions from the operator. Its capabilities include uploading, downloading, moving, renaming, and deleting files, creating folders, adjusting how frequently it checks for commands, executing code received from the C2 server directly in memory, and terminating and removing itself from an infected system.
“The fact that Mistic executes in memory and also has a kill switch built in means that it is very stealthy, potentially allowing for long-term access for attackers,” the researchers added.
Beyond Mistic and ModeloRAT, attackers used several legitimate tools including Curl, Reg.exe, Net.exe, PowerShell, Certutil, and WMIC (Windows Management Instrumentation). These utilities can download files, execute commands, modify the Windows registry, gather system information, and interact with remote hosts.
Woodgnat’s victim selection is “largely opportunistic,” Symantec said, adding that the group’s geographic location remains unknown.
Symantec has published a list of indicators of compromise (IOCs) for Mistic, including malicious files and IP addresses used in the recent Woodgnat attacks.
(Source: Help Net Security)