New Self-Destructing Backdoor "Mistic" Linked to Ransomware Access Brokers
Security researchers have identified a novel self-destructing backdoor, dubbed Mistic (also tracked as MLTBackdoor), deployed in cyber intrusions since April. The malware is suspected to be tied to KongTuke (aka Woodgnat), a financially motivated initial access broker (IAB) that compromises corporate networks and sells access to ransomware groups.
According to Zscaler, Symantec, and Carbon Black, Mistic has been used to breach organizations across insurance, education, IT, and professional services. The backdoor is designed for stealthy lateral movement, enabling attackers to maintain persistence while evading detection.
Mistic’s functionality includes file manipulation (upload, download, delete, rename), folder creation, and in-memory execution of remote payloads avoiding disk-based detection. Once its objectives are complete, the malware self-terminates and deletes itself, further reducing forensic traces.
Researchers found low-confidence links between Mistic and ModeloRAT, a Python-based remote access trojan (RAT) also developed by KongTuke. Previous attacks involving ModeloRAT have been connected to ransomware operations by groups like Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
In one observed attack, Mistic was side-loaded via a legitimate executable (MpExtMs.exe) and a malicious DLL (EndpointDlp.dll), blending into normal system processes. Zscaler also noted its delivery through the ClickFix infection chain, a technique previously associated with KongTuke.
The backdoor’s in-memory execution and self-destruct mechanism make it particularly difficult to detect, allowing attackers to maintain long-term access while minimizing exposure. Its use in ransomware-linked intrusions underscores the growing threat posed by IABs in the cybercriminal ecosystem.
KongTuke TPRM report: https://www.rankiteo.com/company/bleepingcomputer
"id": "ble1782433731",
"linkid": "bleepingcomputer",
"type": "Ransomware",
"date": "6/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['Insurance',
'Education',
'IT',
'Professional Services'],
'type': 'Organization'}],
'attack_vector': ['Side-loading via legitimate executable (MpExtMs.exe)',
'Malicious DLL (EndpointDlp.dll)',
'ClickFix infection chain'],
'date_detected': 'April',
'description': 'Security researchers have identified a novel self-destructing '
'backdoor, dubbed Mistic (also tracked as MLTBackdoor), '
'deployed in cyber intrusions since April. The malware is '
'suspected to be tied to KongTuke (aka Woodgnat), a '
'financially motivated initial access broker (IAB) that '
'compromises corporate networks and sells access to ransomware '
'groups. Mistic has been used to breach organizations across '
'insurance, education, IT, and professional services. The '
'backdoor is designed for stealthy lateral movement, enabling '
'attackers to maintain persistence while evading detection. It '
'includes file manipulation, folder creation, and in-memory '
'execution of remote payloads, and self-terminates to reduce '
'forensic traces.',
'impact': {'operational_impact': 'Stealthy lateral movement and persistence '
'in corporate networks'},
'initial_access_broker': {'backdoors_established': 'Mistic (MLTBackdoor), '
'ModeloRAT',
'entry_point': ['Side-loading via legitimate '
'executable (MpExtMs.exe)',
'Malicious DLL (EndpointDlp.dll)',
'ClickFix infection chain']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The self-destructing and in-memory execution capabilities '
'of Mistic highlight the need for advanced detection '
'mechanisms to identify stealthy threats. The role of '
'initial access brokers in ransomware operations '
'underscores the importance of proactive network '
'monitoring and lateral movement restrictions.',
'motivation': 'Financial gain (Initial Access Broker activity)',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring for '
'lateral movement, '
'restrictions on DLL '
'side-loading, and improved '
'forensic capabilities for '
'self-destructing malware.',
'root_causes': 'Exploitation of legitimate '
'executables for side-loading '
'malicious DLLs, lack of detection '
'for in-memory malware execution.'},
'ransomware': {'ransomware_strain': ['Qilin',
'Interlock',
'Rhysida',
'Akira',
'8Base',
'Black Basta']},
'recommendations': ['Implement advanced threat detection for in-memory '
'malware execution.',
'Monitor for unusual lateral movement within corporate '
'networks.',
'Restrict side-loading of DLLs via legitimate '
'executables.',
'Enhance forensic readiness to detect self-destructing '
'malware.',
'Collaborate with threat intelligence providers to track '
'IAB activities.'],
'references': [{'source': 'Zscaler'},
{'source': 'Symantec'},
{'source': 'Carbon Black'}],
'threat_actor': 'KongTuke (aka Woodgnat)',
'title': "New Self-Destructing Backdoor 'Mistic' Linked to Ransomware Access "
'Brokers',
'type': 'Backdoor Deployment'}