Mistic backdoor – A stealthy backdoor called Mistic has been observed in financially motivated intrusions since April, with researchers tying its activity to KongTuke/Woodgnat, an initial access broker that compromises corporate networks and sells that access to ransomware grou
For the victims, the danger wasn’t a dramatic “smash and grab.” It was something quieter: a backdoor designed to settle in, stay, and keep working long after the initial break-in.
Researchers at cybersecurity company Symantec have observed a new backdoor dubbed Mistic in financially motivated attacks targeting organizations in the insurance. education. IT. and professional services sectors. Symantec says Mistic has been used in intrusions since April and. in at least one incident. it was deployed shortly after ModeloRAT—a backdoor attributed to KongTuke.
KongTuke/Woodgnat is an initial access broker active since at least 2024. The business model is straightforward and brutal: compromise corporate networks, then sell that access to ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
In one reported sequence, ModeloRAT arrived through social engineering attacks over Microsoft Teams. Soon after that, Mistic showed up—suggesting a handoff from “get in” to “stay in” inside the same compromised environment.
Symantec’s description of how Mistic works is built around stealth. The infection begins with the launch of a legitimate executable, MpExtMs.exe, which side-loads a malicious DLL named version.dll. That DLL acts as the loader of Mistic (EndpointDlp.dll).
The filename chosen for the backdoor matters. Symantec notes that Mistic’s DLL name resembles Microsoft endpoint security tooling, a tactic that can help the malware blend in with software the host already trusts.
A separate .NET DLL is also loaded. It displays a fake login screen to the victim—designed to steal account credentials. Once loaded, Mistic connects to command-and-control infrastructure and can receive commands from the operator.
Symantec lists capabilities that sound less like a one-time implant and more like a persistent remote tool:
– Upload/download. move. rename. delete files. and create folders
– Modify how frequently Mistic checks for commands from the command-and-control (C2) server
– Execute code received from the C2 directly in memory
– Terminate itself and delete files from the host.
In Symantec’s view, the design is aimed at long-term access with minimal visibility. The backdoor runs payloads in memory with no file written to disk, and it includes a kill switch that lets it delete itself—features consistent with an operator seeking long-term, low-visibility access.
Symantec doesn’t provide details on how the infection begins beyond its observed behavior in these intrusions. But KongTuke has been known to use ClickFix, along with FileFix and CrashFix variants, to deliver ModeloRAT malware since early 2025.
That brings the timeline into sharper focus through another set of findings. In a technical report this week, cloud security company Zscaler says Mistic—tracked by Zscaler as MTLBackdoor—was delivered as a payload in a multi-stage ClickFix infection chain in May.
Zscaler points to a capability that helps explain why tools like this can be so hard to stop once they’re installed. Researchers say that one of the most powerful features of MTLBackdoor is the ability to load Beacon Object Files (BOFs) to expand its capabilities. BOFs are small programs in C that can execute directly in the memory of a command-and-control (C2) process. leaving no footprint on the disk and evading detection by security agents. Zscaler notes that BOFs are common in red team products such as Cobalt Strike for post-exploitation.
Taken together, Symantec believes Mistic confirms a broader trend: custom tools being used in ransomware attacks. But the tool’s origin appears tightly bound to the ransomware-access marketplace. Symantec’s assessment is that Mistic was developed by an initial access broker closely connected to the ransomware scene.
KongTuke, the broker behind this activity, has used a range of tools and techniques beyond the backdoors themselves. The list includes legitimate WinPython and Node.js runtimes to execute malicious code. finger.exe to retrieve obfuscated payloads. the fake NexShield browser extension. the encrypted GateKeeper .NET payload. and loader malware including MintsLoader and D3F@ck Loader to deliver additional payloads.
Both Zscaler and Symantec provide indicators of compromise for Mistic/MTLBackdoor and describe it as a stealthy tool that can expand its functionality. For security teams. the message is the same even when the malware names change: once an initial access broker gets the door open. the real work often begins after the first wave—quietly. in memory. and with an exit switch ready if the operator needs to vanish.
Mistic backdoor MTLBackdoor KongTuke Woodgnat initial access broker ransomware access ModeloRAT ClickFix side-loading MpExtMs.exe version.dll EndpointDlp.dll EndpointDlp fake login screen command-and-control BOFs Beacon Object Files Cobalt Strike Symantec Zscaler
So it’s just like a backdoor that gets in and hides? great.
Wait, Mistic is tied to some “broker” that sells access to ransomware groups? Sounds like middle schoolers passing around logins tbh. Also insurance and schools?? that’s a nightmare.
If it showed up after ModeloRAT via Microsoft Teams, then Teams is basically hacked forever now right? Like once one thing lands in the network it just magically keeps going? I’m not saying it’s aliens but… this feels like the company just needs to delete Teams and done.
“MpExtMs.exe” and “version.dll”?? That name sounding like legit Windows stuff is crazy. The fake login screen to steal credentials is the part that makes me mad, because it’s always the same trick. I don’t get why they need the broker thing though—can’t ransomware groups just hack directly? Seems like somebody’s getting paid twice.