Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareRansomwareUsed by 2 actors

Mistic

Mistic is a stealthy backdoor, also tracked as MLTBackdoor/MLTBackdoor, that has been used since April 2026 in financially motivated intrusions targeting organizations in the insurance, education, IT, and professional services sectors. Reporting links it with low confidence to the initial access broker KongTuke, also known as Woodgnat, a criminal actor assessed to compromise enterprise networks and sell access to ransomware operators. KongTuke-linked access has been associated with ransomware ecosystems including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Observed delivery and execution involved DLL sideloading through the legitimate Microsoft executable MpExtMs.exe. In reported cases, a malicious loader DLL named version.dll loaded the Mistic payload from EndpointDlp.dll, a filename chosen to resemble Microsoft endpoint-security tooling. Separate intrusions also included a .NET DLL that displayed a fake login screen to steal credentials. Zscaler documented the malware earlier in June 2026 under the name MLTBackdoor and observed delivery through a multi-stage ClickFix infection chain.

Mistic provides standard backdoor functionality including upload, download, move, rename, and delete operations on files, folder creation, configurable command-and-control check-in intervals, and retrieval of additional commands from attacker-controlled infrastructure. It can execute payloads or code received from command-and-control directly in memory, avoiding disk writes and reducing file-based detection opportunities. Multiple reports also state that it can load Beacon Object Files to extend functionality in memory. A built-in kill switch allows the malware to terminate and delete itself from the infected host, further increasing stealth and making it suitable for long-term covert access.

Mistic has been observed alongside ModeloRAT, another KongTuke/Woodgnat-linked remote access tool, and the broader activity has been described as opportunistic targeting consistent with an initial access broker model rather than direct ransomware deployment by the same operator. Reported indicators of compromise include EndpointDlp.dll SHA-256 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984, loader version.dll SHA-256 59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712, IPs 142.93.242.144, 144.31.53.78, 198.13.159.44, and 199.91.221.42, domains authorized-logins.net, thomphon.com, updater-worelos.com, upd-domain-goloro.com, upscale-kolo.com, and sql-updater-service.com, and the delivery URL hxxp://thomphon.com/update.msi.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
KongTuke

A new self-destructing backdoor called Mistic used in intrusions since April appears to be linked to a criminal gang that compromises corporate networks and then sells that access to ransomware groups.

via register securitytheregister.com
Woodgnat

A new self-destructing backdoor called Mistic used in intrusions since April appears to be linked to a criminal gang that compromises corporate networks and then sells that access to ransomware groups.

via register securitytheregister.com
MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

3 techniques
T1059Command and Scripting InterpreterEvidence3

Once loaded, Mistic connects to its command-and-control server and waits for instructions... run code directly in memory

T1059.001PowerShellEvidence1

The campaign also leveraged common tools such as PowerShell, Curl, Certutil, WMIC, Net.exe and Reg.exe for reconnaissance, persistence, credential theft and lateral movement.

T1204User ExecutionEvidence1

KongTuke has been known to use ClickFix, and its FileFix and CrashFix variants, since early 2025 to deliver the ModeloRAT malware. In a technical report this week, Zscaler notes that Mistic, which it tracks as MTLBackdoor, was delivered as a payload in a multi-stage ClickFix infection chain in May.

Privilege Escalation

1 technique
T1055Process InjectionEvidence1

The backdoor runs payloads in memory with no file written to disk... Zscaler researchers say that 'one of the most powerful features [in MTLBackdoor] is the ability to load Beacon Object Files (BOFs) to expand its capabilities.'

Stealth

6 techniques
T1036MasqueradingEvidence1

Mistic was side-loaded through MpExtMs.exe, a legitimate file, and loaded from a DLL named EndpointDlp.dll, a name associated with Microsoft endpoint-security tooling. This would help the backdoor blend in with trusted software.

T1055Process InjectionEvidence1

The backdoor runs payloads in memory with no file written to disk... Zscaler researchers say that 'one of the most powerful features [in MTLBackdoor] is the ability to load Beacon Object Files (BOFs) to expand its capabilities.'

T1070Indicator RemovalEvidence4

Its capabilities include ... terminating and removing itself from an infected system.

T1070.004File DeletionEvidence2

When the mission is accomplished, it then terminates and deletes itself.

T1218System Binary Proxy ExecutionEvidence1

the attack started when the legitimate MpExtMs.exe process loaded a malicious DLL

T1620Reflective Code LoadingEvidence5

it can run remote payloads from C2 directly in memory – so it doesn’t write malicious files to the hard drive – which helps it dodge file-based detection in antivirus and endpoint detection products.

Credential Access

1 technique
T1649Steal or Forge Authentication CertificatesEvidence1

A separate .NET DLL is also loaded, which displays a fake login screen to the victim to steal their account credentials.

Command and Control

3 techniques
T1071Application Layer ProtocolEvidence3

It can also create new folders, and check for additional commands from the attacker-controlled command-and-control (C2) server.

T1105Ingress Tool TransferEvidence7

Mistic has all the usual backdoor functionality: It can upload, download, move, rename, and delete files.

T1219Remote Access ToolsEvidence2

Mistic is a stealthy backdoor used by KongTuke-linked actors to keep long-term access in ransomware-targeted networks.

INDICATORS OF COMPROMISE

IOCs tracked for this family

39 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
29 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
9 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
ip.v4●●●●●●●●●●●●View more in app3 days ago
domain●●●●●●●●●●●●View more in app3 days ago
domain●●●●●●●●●●●●View more in app3 days ago
domain●●●●●●●●●●●●View more in app3 days ago
hash.sha256●●●●●●●●●●●●View more in app3 days ago
hash.sha256●●●●●●●●●●●●View more in app3 days ago
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
security affairsNews
Jun 25, 2026
Inside Mistic, the New Stealth Backdoor in Ransomware Intrusions

A stealthy backdoor used for long-term covert access. It communicates with a C2 server, can upload/download/move/rename/delete files, create folders, adjust beacon intervals, execute payloads in memory without writing to disk, and remove itself via a kill switch. It was observed delivered via DLL sideloading using the legitimate MpExtMs.exe process and a malicious DLL named EndpointDlp.dll.

Read more
the hacker newsNews
Jun 25, 2026
New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns

A stealthy in-memory backdoor delivered via ClickFix and DLL side-loading that enables file operations, command execution from C2 in memory, BOF loading, configurable beaconing, and self-deletion for low-visibility persistence and access.

Read more
cso onlineNews
Jun 25, 2026
Rethinking the balance between AI oversight and innovation | CSO Online

A newly referenced backdoor reportedly used by a ransomware broker.

Read more
help net securityNews
Jun 25, 2026
Stealthy new backdoor surfaces in attacks on multiple sectors - Help Net Security

A stealthy backdoor associated with Woodgnat that is side-loaded through a legitimate executable and loaded from a DLL masquerading as Microsoft endpoint-security tooling. It communicates with command-and-control infrastructure, can upload/download/move/rename/delete files, create folders, adjust beacon timing, execute code directly in memory, and remove itself via a built-in kill switch.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching39

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.