MalwareRansomwareUsed by 2 actors

GateKeeper

GateKeeper is an encrypted .NET payload associated with the financially motivated threat actor KongTuke, also tracked as Woodgnat. The available reporting describes it as a .NET payload with layered encryption, extensive anti-analysis logic, and victim-fingerprinting functionality. Huntress reported that in a January 2026 KongTuke campaign, GateKeeper appeared in the infection path used for non-domain-joined hosts after a ClickFix/CrashFix-style social-engineering chain involving a malicious NexShield browser extension, clipboard-staged PowerShell, and abuse of finger.exe as a LOLBin. In that reporting, the GateKeeper branch was part of a more obfuscated, DGA-driven chain that also used AMSI bypasses and was intended to withhold payloads from sandboxes; in analysis, one branch returned the string "TEST PAYLOAD!!!!," suggesting testing or staged rollout. GateKeeper has also been listed among other KongTuke tooling alongside WinPython, Node.js, finger.exe, the fake NexShield browser extension, MintsLoader, and D3F@ck Loader. High-confidence details in the provided content do not establish additional payload capabilities, persistence mechanisms, or specific indicators of compromise for GateKeeper beyond its role as an encrypted .NET payload with anti-analysis and fingerprinting behavior.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

KongTuke

KongTuke has also been seen using a wider kit, including WinPython, Node.js, finger.exe, a fake NexShield browser extension, the encrypted GateKeeper .NET payload, and loaders like MintsLoader and D3F@ck Loader.

via security affairssecurityaffairs.com

Woodgnat

via security affairssecurityaffairs.com

MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques

T1059.001PowerShellEvidence1

In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command... Once a command is executed, a multi-stage PowerShell chain downloads and unpacks a portable WinPython environment and launches the ModeloRAT Python scripts.

T1204User ExecutionEvidence1

ClickFix... fake error or fake CAPTCHA tests to trick users into pasting malicious scripts into the Windows Run dialog... FileFix... manually pasting and executing malicious commands... CrashFix... trick them into manually executing code... In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command.

Stealth

2 techniques

T1497Virtualization/Sandbox EvasionEvidence2

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators and distinguish domain-joined corporate machines from standalone WORKGROUP hosts

T1497.001System ChecksEvidence1

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators and distinguish domain-joined corporate machines from standalone WORKGROUP hosts so that the higher-value ModeloRAT payload is reserved for enterprise targets.

Discovery

2 techniques

T1497Virtualization/Sandbox EvasionEvidence2

Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators and distinguish domain-joined corporate machines from standalone WORKGROUP hosts

T1497.001System ChecksEvidence1

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

security affairsNews

Jun 25, 2026

Inside Mistic, the New Stealth Backdoor in Ransomware Intrusions

An encrypted .NET payload mentioned as part of the KongTuke/Woodgnat malware toolkit.

bleeping computerNews

Jun 24, 2026

Stealthy Mistic backdoor linked to ransomware access broker KongTuke

An encrypted .NET payload used by KongTuke as part of its toolset.

symantec blogNews

Jun 24, 2026

Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker | SECURITY.COM

A .NET payload used in Woodgnat attack chains that employs layered encryption, anti-analysis measures, and victim fingerprinting.

symantec blogNews

Jun 24, 2026

Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker | SECURITY.COM

A .NET payload used in Woodgnat attack chains that employs layered encryption, anti-analysis measures, and victim fingerprinting.

+6 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.