Interlock, Akira and Black Basta: Woodgnat Hackers Use Mistic RAT to Broker Access for Ransomware Gangs

Interlock, Akira and Black Basta: Woodgnat Hackers Use Mistic RAT to Broker Access for Ransomware Gangs

New Backdoor.Mistic RAT Emerges as Cybercrime Brokers Exploit Corporate Networks

A recently identified remote access Trojan (RAT), dubbed Backdoor.Mistic (or MLTBackdoor by Zscaler), has been deployed by the Woodgnat hacking group since April 2026 to infiltrate corporate networks. Unlike traditional ransomware operators, Woodgnat functions as an initial access broker, compromising systems and selling network access to high-profile ransomware gangs, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Active since May 2024, Woodgnat also tracked as KongTuke targets organizations indiscriminately, with recent victims spanning education, insurance, and IT services. The group employs ModeloRAT alongside Backdoor.Mistic to establish persistent access, often leveraging social engineering to trick employees.

Deceptive Tactics: Browser Hijacks and Fake IT Support

Woodgnat’s latest campaign, CrashFix (early 2026), involves hijacking WordPress sites to display fake technical alerts, freezing browsers and prompting victims to execute malicious commands. Similar schemes ClickFix and FileFix were used in 2025. Since April 2026, the group has also impersonated IT helpdesks via Microsoft Teams, convincing employees to run harmful scripts.

Once executed, a multi-stage PowerShell attack deploys Backdoor.Mistic, which enables file manipulation, fake login screens for credential theft, and network reconnaissance using built-in Windows tools (Net.exe, Reg.exe, Curl). The RAT’s stealth is enhanced by DLL sideloading abusing trusted Windows files to evade detection and fileless execution, running entirely in memory to avoid antivirus scans. A self-destruct mechanism erases traces if detection is suspected.

Cybercrime’s Industrialized Supply Chain

Security firms including Symantec, Carbon Black, Zscaler, and ThaiCert have linked Woodgnat’s infrastructure to a growing trend: initial access brokers specializing in breaching networks for resale. Experts warn that defenders often focus on ransomware payloads while overlooking the upstream access infrastructure, which is the true enabler of attacks.

Roman Sannikov of iCOUNTER emphasized that brokers like Woodgnat operate with consistent command-and-control (C2) patterns, hosting strategies, and handoff mechanisms, making their detection critical for preempting ransomware incidents. Josh Picolet of Team Cymru echoed this, noting that tracking these brokers’ routing, reuse patterns, and access handoffs provides the best opportunity to disrupt attacks before ransomware operators even enter the environment.

The emergence of Backdoor.Mistic underscores the cybercrime ecosystem’s sophistication, where specialized actors monetize access while remaining hidden in plain sight.

Source: https://hackread.com/woodgnat-hackers-mistic-rat-access-ransomware-gangs/

Interlock TPRM report: https://www.rankiteo.com/company/interlock-tech-solutions

Akira TPRM report: https://www.rankiteo.com/company/akira-technologies-inc

Black Basta TPRM report: https://www.rankiteo.com/company/black-&-mcdonald-limited

"id": "intakibla1782505527",
"linkid": "interlock-tech-solutions, akira-technologies-inc, black-&-mcdonald-limited",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Education', 'Insurance', 'IT Services'],
                        'type': 'Organization'}],
 'attack_vector': ['Social Engineering',
                   'Browser Hijacking',
                   'Fake IT Support',
                   'Malicious PowerShell Scripts'],
 'data_breach': {'sensitivity_of_data': 'High (Corporate Network Access)',
                 'type_of_data_compromised': ['Credentials',
                                              'Network Reconnaissance Data']},
 'date_detected': '2026-04',
 'description': 'A recently identified remote access Trojan (RAT), dubbed '
                '*Backdoor.Mistic* (or *MLTBackdoor* by Zscaler), has been '
                'deployed by the *Woodgnat* hacking group since April 2026 to '
                'infiltrate corporate networks. The group functions as an '
                '*initial access broker*, compromising systems and selling '
                'network access to high-profile ransomware gangs. The RAT '
                'enables file manipulation, credential theft, and network '
                'reconnaissance, using stealth techniques like DLL sideloading '
                'and fileless execution.',
 'impact': {'data_compromised': 'Credentials, Network Reconnaissance Data',
            'identity_theft_risk': 'High (Credential Theft)',
            'operational_impact': 'Persistent Network Access for Ransomware '
                                  'Deployment',
            'systems_affected': 'Corporate Networks'},
 'initial_access_broker': {'backdoors_established': ['Backdoor.Mistic',
                                                     'ModeloRAT'],
                           'data_sold_on_dark_web': 'Corporate Network Access',
                           'entry_point': ['Social Engineering',
                                           'Browser Hijacking',
                                           'Fake IT Support']},
 'lessons_learned': 'Defenders often focus on ransomware payloads while '
                    'overlooking upstream access infrastructure, which is '
                    'critical for preempting attacks. Tracking initial access '
                    "brokers' C2 patterns, hosting strategies, and handoff "
                    'mechanisms can disrupt attacks before ransomware '
                    'operators enter the environment.',
 'motivation': 'Financial Gain (Selling Access to Ransomware Gangs)',
 'post_incident_analysis': {'corrective_actions': ['Improve detection of C2 '
                                                   'patterns and access '
                                                   'handoffs',
                                                   'Enhance employee training '
                                                   'on social engineering',
                                                   'Implement network '
                                                   'segmentation and '
                                                   'monitoring'],
                            'root_causes': ['Lack of detection for initial '
                                            'access broker activity',
                                            'Employee susceptibility to social '
                                            'engineering',
                                            'Use of stealth techniques (DLL '
                                            'sideloading, fileless '
                                            'execution)']},
 'recommendations': ['Monitor for initial access broker activity, including C2 '
                     'patterns and access handoffs.',
                     'Enhance detection of DLL sideloading and fileless '
                     'execution techniques.',
                     'Educate employees on social engineering tactics, '
                     'including fake IT support and browser hijacking schemes.',
                     'Implement network segmentation and enhanced monitoring '
                     'to limit lateral movement.'],
 'references': [{'source': 'Zscaler'},
                {'source': 'Symantec'},
                {'source': 'Carbon Black'},
                {'source': 'ThaiCert'},
                {'source': 'iCOUNTER (Roman Sannikov)'},
                {'source': 'Team Cymru (Josh Picolet)'}],
 'threat_actor': 'Woodgnat (also known as KongTuke)',
 'title': 'New Backdoor.Mistic RAT Emerges as Cybercrime Brokers Exploit '
          'Corporate Networks',
 'type': 'Initial Access Broker Activity'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.