New Python-Based RAT and Stealth Backdoor Linked to Ransomware Access Broker Woodgnat
A recent cybersecurity investigation has uncovered a sophisticated campaign involving ModeloRAT, a Python-based remote access trojan (RAT), and Backdoor.Mistic, a newly identified stealth backdoor. Both tools are tied to Woodgnat (also known as KongTuke), an initial access broker (IAB) that facilitates ransomware deployments for multiple threat groups, including Qilin, Rhysida, Akira, 8Base, and Black Basta.
Backdoor.Mistic: Stealth and Persistence
First observed in April 2026 and documented by Zscaler, Backdoor.Mistic is designed for long-term, low-visibility access. It employs DLL sideloading via a legitimate executable (MpExtMs.exe), loading a malicious DLL (EndpointDlp.dll) that mimics Microsoft security components. The backdoor uses API hooking to evade detection, executing payloads in-memory without writing files to disk. Additional evasion tactics include a kill switch for self-deletion and adaptive command-and-control (C2) mechanisms, such as domain generation for non-domain hosts.
Functionally, Mistic supports file manipulation, scheduled command checks, and in-memory execution of C2-delivered code, making it a versatile tool for maintaining covert access. Targets have been opportunistic, spanning insurance, education, IT, and professional services, suggesting the operators prioritize saleable enterprise access over industry-specific attacks.
ModeloRAT: A Hallmark of Woodgnat Activity
ModeloRAT, a long-standing tool in Woodgnat’s arsenal, is typically delivered via a portable WinPython package and executed through signed pythonw.exe. It employs RC4-encrypted C2 communications and multi-path resiliency to maintain persistence. Symantec’s Threat Hunter Team linked ModeloRAT to Qilin ransomware deployments, reinforcing its role in final-stage ransomware operations.
Intrusion Chain and Tradecraft
The observed attack chain combines multiple stages and tools, including:
- A .NET credential stealer with a fake login prompt
- Living-off-the-land binaries (LOLBins) such as curl, reg.exe, net.exe, certutil, WMIC, and PowerShell for reconnaissance and lateral movement
- Loaders like WinPython and Node.exe to host ModeloRAT and other scripts
- Social engineering lures (e.g., ClickFix, FileFix, CrashFix) tricking victims into executing malicious PowerShell commands
- Microsoft Teams helpdesk pretexts coercing victims into running attacker-supplied commands for rapid persistence
Woodgnat’s tradecraft emphasizes evasion, leveraging signed carriers, in-memory execution, redundant persistence mechanisms, and credential theft to establish durable footholds for ransomware affiliates.
Defensive Priorities
Key indicators of compromise (IOCs) include:
- Unexpected loading of EndpointDlp.dll by MpExtMs.exe
- Anomalous in-memory execution activities
- Run-key persistence entries mimicking remote-support tools
- Evidence of WinPython or signed pythonw.exe running unknown scripts
As Woodgnat continues to evolve, tracking its infrastructure and the development of ModeloRAT and Mistic remains critical for defenders combating ransomware-enabled access brokering.
Source: https://gbhackers.com/modelorat-and-mistic-backdoor/
QILIN cybersecurity rating report: https://www.rankiteo.com/company/qilin
Blackstone Technology Group cybersecurity rating report: https://www.rankiteo.com/company/blackstone-technology-group
"id": "QILBLA1782311333",
"linkid": "qilin, blackstone-technology-group",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Insurance',
'Education',
'IT',
'Professional Services']}],
'attack_vector': ['DLL sideloading',
'Social engineering',
'LOLBins',
'In-memory execution'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Personally Identifiable '
'Information']},
'date_detected': '2026-04',
'description': 'A recent cybersecurity investigation has uncovered a '
'sophisticated campaign involving ModeloRAT, a Python-based '
'remote access trojan (RAT), and Backdoor.Mistic, a newly '
'identified stealth backdoor. Both tools are tied to Woodgnat '
'(also known as KongTuke), an initial access broker (IAB) that '
'facilitates ransomware deployments for multiple threat '
'groups, including Qilin, Rhysida, Akira, 8Base, and Black '
'Basta.',
'impact': {'data_compromised': True, 'identity_theft_risk': True},
'initial_access_broker': {'backdoors_established': ['ModeloRAT',
'Backdoor.Mistic'],
'entry_point': ['DLL sideloading',
'Social engineering']},
'investigation_status': 'Ongoing',
'motivation': ['Financial gain', 'Ransomware deployment'],
'post_incident_analysis': {'root_causes': ['DLL sideloading',
'In-memory execution',
'Credential theft',
'LOLBins abuse']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['Qilin',
'Rhysida',
'Akira',
'8Base',
'Black Basta']},
'recommendations': ['Monitor for unexpected loading of EndpointDlp.dll by '
'MpExtMs.exe',
'Detect anomalous in-memory execution activities',
'Check for run-key persistence entries mimicking '
'remote-support tools',
'Investigate WinPython or signed pythonw.exe running '
'unknown scripts'],
'references': [{'source': 'Zscaler'},
{'source': 'Symantec’s Threat Hunter Team'}],
'threat_actor': 'Woodgnat (KongTuke)',
'title': 'New Python-Based RAT and Stealth Backdoor Linked to Ransomware '
'Access Broker Woodgnat',
'type': ['RAT', 'Backdoor', 'Ransomware']}