Backdoor.Mistic

They hijack normal WordPress websites to push fake technical alerts. In a recent tactic from early 2026 called CrashFix, they purposely froze a victim’s web browser and displayed a message telling them to copy-paste a command to fix the issue.

From April 2026, they have also started messaging staff directly on Microsoft Teams, posing as the company’s IT helpdesk to lure workers into running malicious commands.

Mistic provides attackers with typical capabilities, including ... code execution.

Once an employee falls for the trick, a multi-stage PowerShell chain downloads the malware.

they purposely froze a victim’s web browser and displayed a message telling them to copy-paste a command to fix the issue... started messaging staff directly on Microsoft Teams, posing as the company’s IT helpdesk to lure workers into running malicious commands.

A loader (version.dll) hooks GetModuleFileNameW and LoadLibraryW. The GetModuleFileNameW hook makes sure that the path mpextms.exe is pointed to the legitimate location of mpextms.exe. The LoadLibraryW hook makes sure it loads the malicious EndpointDlp.dll, which is Backdoor.Mistic.

loaded from a DLL named EndpointDlp.dll, a name associated with Microsoft endpoint-security tooling. This would help the backdoor blend in with trusted software... Persistence is established through several redundant mechanisms, including Run-key entries that masquerade as legitimate remote-access software, using names such as AnyDesk, Splashtop and Comms.

If the scammers think they may get caught, they use a built-in kill switch to make the malware delete itself instantly.

A loader (version.dll) hooks GetModuleFileNameW and LoadLibraryW. The GetModuleFileNameW hook makes sure that the path mpextms.exe is pointed to the legitimate location of mpextms.exe. The LoadLibraryW hook makes sure it loads the malicious EndpointDlp.dll, which is Backdoor.Mistic.

The backdoor runs payloads in memory with no file written to disk... Execute code from C2 in memory (no file saved on the disk).

A .NET DLL is also loaded on the victim network. This is a credential stealer that displays a fake login screen.

Afterward, they use built-in Windows tools like Net.exe and Reg.exe to map out the network

The hackers install Backdoor.Mistic, which lets them manage files

A .NET DLL is also loaded on the victim network. This is a credential stealer that displays a fake login screen.

The backdoor can run remote payloads directly in memory... Upload/download a file... Once a command is executed, a multi-stage PowerShell chain downloads and unpacks a portable WinPython environment... Finger.exe... retrieve obfuscated payloads.

Afterward, they use built-in Windows tools like Net.exe and Reg.exe to map out the network, and Curl to transfer data out.