Multiple organizations in various sectors, including insurance, education, IT, and professional services, have been targeted by a new stealthy backdoor known as Mistic since April 2026 in suspected financially motivated attacks.
Identified as MLTBackdoor, the backdoor is believed to be associated with an initial access broker (IAB) named KongTuke, and is often deployed alongside ModeloRAT, a Python remote access trojan (RAT) previously linked to the same group, according to reports from Symantec and Carbon Black’s Threat Hunter Team.
Experts from Broadcom’s cybersecurity teams have noted that the backdoor operates by running payloads in memory without leaving any traces on disk, featuring a kill switch that allows it to self-delete, indicating an intention to maintain long-term, discreet access.
ModeloRAT first came to attention in January 2026 during a ClickFix campaign called CrashFix, where KongTuke actors utilized a malicious Google Chrome extension posing as an ad blocker to crash victims’ web browsers and deceive them into executing arbitrary commands under the guise of a security scan.
Another ClickFix campaign involving the distribution of the malware included running commands for a Domain Name System (DNS) lookup to fetch the next-stage payload, with Microsoft pointing out the use of DNS as a “lightweight staging or signaling channel” in the attack chain.
Zscaler ThreatLabz recently highlighted Mistic’s use of ClickFix as a delivery mechanism, attributing it to a ransomware-related threat actor aiming to establish a foothold for lateral movement.
Recent findings from Broadcom reveal that the backdoor utilizes DLL side-loading techniques, leveraging trusted Microsoft endpoint security tooling (“MpExtMs.exe”) to camouflage itself and evade detection. This approach allows Mistic to execute a wide range of functions typically associated with malware families of this nature:
- Uploading or downloading files
- Moving, renaming, or deleting files
- Creating folders
- Adjusting the time interval for polling a remote server for commands
- Executing code received from the command-and-control (C2) server in memory without leaving any traces on disk
- Loading Beacon Object Files (BOFs) to dynamically enhance capabilities
- Terminating and deleting itself
According to Symantec and Carbon Black, the attackers behind Mistic and ModeloRAT appear to cast a wide net in their targeting strategy, focusing on selling access to various organizations rather than honing in on a specific sector. ModeloRAT has been observed in attacks involving Qilin ransomware.
KongTuke is known for operating a traffic distribution system (TDS) through compromised WordPress sites, using a variety of lures to direct unsuspecting visitors to malware. Recently, the threat actor has shifted tactics to sending Microsoft Teams messages from a fake IT Support account to initiate an attack chain leading to ModeloRAT deployment.
Noteworthy is the stealth of the backdoor and the potential involvement of Woodgnat in the development of ModeloRAT, indicating a highly skilled group proficient in creating covert remote access tools, as noted by Broadcom.
The use of custom tools in ransomware attacks is becoming increasingly common, with various ransomware groups incorporating unique exfiltration and other tools. Backdoor.Mistic appears to be part of this trend, likely developed by access brokers collaborating with ransomware affiliates rather than a ransomware group itself.
