A new, stealthy backdoor named Mistic has been deployed as part of suspected financially motivated attacks aimed at multiple organizations spanning insurance, education, IT, and professional services sectors since April 2026.
According to Symantec and Carbon Black’s Threat Hunter Team, the backdoor, also tracked as MLTBackdoor, is said to be linked to an initial access broker (IAB) named KongTuke (aka 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat), and dropped along with ModeloRAT, a Python remote access trojan (RAT) previously attributed to the group.
“The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access,” Broadcom’s cybersecurity teams said in a report shared with The Hacker News.
ModeloRAT was first flagged by Huntress in January 2026 in connection with a variant of a ClickFix campaign dubbed CrashFix, in which the KongTuke actors used a malicious Google Chrome extension masquerading as an ad blocker to intentionally crash a victim’s web browser and trick them into running arbitrary commands under the pretext of running a security scan.
The malware was also distributed in a different ClickFix campaign that involved running commands carrying out a Domain Name System (DNS) lookup to retrieve the next-stage payload, with Microsoft noting that the attack chain uses DNS as a “lightweight staging or signaling channel.”
Mistic’s use of ClickFix as a delivery vector was highlighted by Zscaler ThreatLabz earlier this month, attributing the activity to a ransomware-related threat actor to establish a foothold for lateral movement.
The latest findings from Broadcom show that the malware relies on DLL side-loading techniques, using trusted Microsoft endpoint security tooling (“MpExtMs.exe”) to blend in and avoid raising red flags. The backdoor runs directly in memory, enabling a wide range of capabilities typically associated with a malware family of this kind –
- Upload or download a file
- Move, rename, or delete a file
- Create a folder
- Modify the time interval after which it polls a remote server for commands
- Execute code received from C2 in memory without leaving any artifacts on disk
- Load Beacon Object Files (BOFs) to dynamically expand its capabilities
- Terminate and delete itself
“The targeting appears to be opportunistic, with the attackers casting a wide net and then assessing which organizations they could sell access to rather than focusing on a single sector,” Symantec and Carbon Black said, adding that ModeloRAT has been observed in attacks that deployed Qilin ransomware.
KongTuke is known to operate a traffic distribution system (TDS) built on compromised WordPress sites, using it to serve an ever-evolving set of lures that lead unsuspecting site visitors to malware. As recently as…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
