Qilin and Black Basta: ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker

Qilin and Black Basta: ModeloRAT and Mistic Backdoor Activity Linked to Ransomware Initial Access Broker

New Python-Based RAT and Stealth Backdoor Linked to Ransomware Access Broker Woodgnat

A recent cybersecurity investigation has uncovered a sophisticated campaign involving ModeloRAT, a Python-based remote access trojan (RAT), and Backdoor.Mistic, a newly identified stealth backdoor. Both tools are tied to Woodgnat (also known as KongTuke), an initial access broker (IAB) that facilitates ransomware deployments for multiple threat groups, including Qilin, Rhysida, Akira, 8Base, and Black Basta.

Backdoor.Mistic: Stealth and Persistence

First observed in April 2026 and documented by Zscaler, Backdoor.Mistic is designed for long-term, low-visibility access. It employs DLL sideloading via a legitimate executable (MpExtMs.exe), loading a malicious DLL (EndpointDlp.dll) that mimics Microsoft security components. The backdoor uses API hooking to evade detection, executing payloads in-memory without writing files to disk. Additional evasion tactics include a kill switch for self-deletion and adaptive command-and-control (C2) mechanisms, such as domain generation for non-domain hosts.

Functionally, Mistic supports file manipulation, scheduled command checks, and in-memory execution of C2-delivered code, making it a versatile tool for maintaining covert access. Targets have been opportunistic, spanning insurance, education, IT, and professional services, suggesting the operators prioritize saleable enterprise access over industry-specific attacks.

ModeloRAT: A Hallmark of Woodgnat Activity

ModeloRAT, a long-standing tool in Woodgnat’s arsenal, is typically delivered via a portable WinPython package and executed through signed pythonw.exe. It employs RC4-encrypted C2 communications and multi-path resiliency to maintain persistence. Symantec’s Threat Hunter Team linked ModeloRAT to Qilin ransomware deployments, reinforcing its role in final-stage ransomware operations.

Intrusion Chain and Tradecraft

The observed attack chain combines multiple stages and tools, including:

  • A .NET credential stealer with a fake login prompt
  • Living-off-the-land binaries (LOLBins) such as curl, reg.exe, net.exe, certutil, WMIC, and PowerShell for reconnaissance and lateral movement
  • Loaders like WinPython and Node.exe to host ModeloRAT and other scripts
  • Social engineering lures (e.g., ClickFix, FileFix, CrashFix) tricking victims into executing malicious PowerShell commands
  • Microsoft Teams helpdesk pretexts coercing victims into running attacker-supplied commands for rapid persistence

Woodgnat’s tradecraft emphasizes evasion, leveraging signed carriers, in-memory execution, redundant persistence mechanisms, and credential theft to establish durable footholds for ransomware affiliates.

Defensive Priorities

Key indicators of compromise (IOCs) include:

  • Unexpected loading of EndpointDlp.dll by MpExtMs.exe
  • Anomalous in-memory execution activities
  • Run-key persistence entries mimicking remote-support tools
  • Evidence of WinPython or signed pythonw.exe running unknown scripts

As Woodgnat continues to evolve, tracking its infrastructure and the development of ModeloRAT and Mistic remains critical for defenders combating ransomware-enabled access brokering.

Source: https://gbhackers.com/modelorat-and-mistic-backdoor/

QILIN cybersecurity rating report: https://www.rankiteo.com/company/qilin

Blackstone Technology Group cybersecurity rating report: https://www.rankiteo.com/company/blackstone-technology-group

"id": "QILBLA1782311333",
"linkid": "qilin, blackstone-technology-group",
"type": "Ransomware",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': ['Insurance',
                                     'Education',
                                     'IT',
                                     'Professional Services']}],
 'attack_vector': ['DLL sideloading',
                   'Social engineering',
                   'LOLBins',
                   'In-memory execution'],
 'data_breach': {'data_encryption': True,
                 'data_exfiltration': True,
                 'personally_identifiable_information': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Credentials',
                                              'Personally Identifiable '
                                              'Information']},
 'date_detected': '2026-04',
 'description': 'A recent cybersecurity investigation has uncovered a '
                'sophisticated campaign involving ModeloRAT, a Python-based '
                'remote access trojan (RAT), and Backdoor.Mistic, a newly '
                'identified stealth backdoor. Both tools are tied to Woodgnat '
                '(also known as KongTuke), an initial access broker (IAB) that '
                'facilitates ransomware deployments for multiple threat '
                'groups, including Qilin, Rhysida, Akira, 8Base, and Black '
                'Basta.',
 'impact': {'data_compromised': True, 'identity_theft_risk': True},
 'initial_access_broker': {'backdoors_established': ['ModeloRAT',
                                                     'Backdoor.Mistic'],
                           'entry_point': ['DLL sideloading',
                                           'Social engineering']},
 'investigation_status': 'Ongoing',
 'motivation': ['Financial gain', 'Ransomware deployment'],
 'post_incident_analysis': {'root_causes': ['DLL sideloading',
                                            'In-memory execution',
                                            'Credential theft',
                                            'LOLBins abuse']},
 'ransomware': {'data_encryption': True,
                'data_exfiltration': True,
                'ransomware_strain': ['Qilin',
                                      'Rhysida',
                                      'Akira',
                                      '8Base',
                                      'Black Basta']},
 'recommendations': ['Monitor for unexpected loading of EndpointDlp.dll by '
                     'MpExtMs.exe',
                     'Detect anomalous in-memory execution activities',
                     'Check for run-key persistence entries mimicking '
                     'remote-support tools',
                     'Investigate WinPython or signed pythonw.exe running '
                     'unknown scripts'],
 'references': [{'source': 'Zscaler'},
                {'source': 'Symantec’s Threat Hunter Team'}],
 'threat_actor': 'Woodgnat (KongTuke)',
 'title': 'New Python-Based RAT and Stealth Backdoor Linked to Ransomware '
          'Access Broker Woodgnat',
 'type': ['RAT', 'Backdoor', 'Ransomware']}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.