Skip to main content

Command Palette

Search for a command to run...

Mistic Backdoor: KongTuke's New Weapon in the ClickFix – ModeloRAT – Ransomware Ecosystem

Updated
7 min readView as Markdown
Mistic Backdoor: KongTuke's New Weapon in the ClickFix – ModeloRAT – Ransomware Ecosystem

Executive Summary

A new backdoor named Backdoor.Mistic (also tracked by Zscaler as MLTBackdoor) has surfaced in intrusions since April 2026, hitting organizations across insurance, education, IT, and professional services. The Symantec and Carbon Black Threat Hunter Team assesses — with low confidence — that Mistic may be linked to Woodgnat (publicly tracked as KongTuke), an initial access broker (IAB) that sells access to ransomware crews including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

The core business risk: this is not a direct ransomware event, but the durable, low-visibility access stage that gets resold. A compromised organization may see no signs for weeks — until an affiliate buys the access and drops ransomware. Targeting is opportunistic: the attackers cast a wide net, then decide which victims are worth selling. The single most important action to take now: block "paste-and-run" (pasting PowerShell into the Run dialog or File Explorer), the shared initial vector across this entire ecosystem.

Backdoor.Mistic — engineered to disappear

Mistic is built around a low-visibility philosophy. It runs payloads directly in memory with no file written to disk, and includes a kill switch to terminate and delete itself. This feature set is consistent with an operator seeking long-term access without leaving forensic traces.

Core capabilities:

  • Upload/download a file

  • Move / rename / delete a file

  • Create a folder

  • Modify its polling interval (how often it checks C2 for commands) — reducing network noise on demand

  • Execute code received from C2 directly in memory, leaving no disk artifacts

  • Load Beacon Object Files (BOFs) to dynamically expand its capabilities — per The Hacker News; this detail does not appear in Symantec's original report

  • Terminate and delete itself (kill switch) The BOF-loading capability is notable: it is a technique associated with high-end C2 frameworks like Cobalt Strike, allowing post-exploitation code to run inside the beacon process without spawning a new one — a signal of the author's development maturity.

Delivery chain — DLL side-loading disguised as Microsoft tooling

In an attack investigated by the Symantec Threat Hunter Team, Mistic was launched via DLL side-loading, abusing a legitimate file as its carrier:

  1. MpExtMs.exe — a legitimate file — is used to side-load malicious DLLs.

  2. version.dll — the loader — hooks two APIs: GetModuleFileNameW and LoadLibraryW.

    • GetModuleFileNameW hook: ensures the mpextms.exe path points to the legitimate original location (defeating path checks).

    • LoadLibraryW hook: forces the loader to load the malicious EndpointDlp.dll instead of the real DLL.

  3. EndpointDlp.dll — this is Backdoor.Mistic, deliberately named to impersonate Microsoft endpoint-security tooling and blend in with trusted software.

  4. A .NET credential stealer DLL is also loaded, displaying a fake login/lock screen to trick users into entering their credentials. Supporting LOLBins seen in the same attack: curl (data transfer / exfil), reg.exe (registry edits), net.exe (network resource management), PowerShell (payload download, traversal, recon), certutil (decoding / file download / root cert install), and WMIC (remote command execution).

Woodgnat / KongTuke — the access broker behind it

Woodgnat (public aliases: KongTuke, 404 TDS, TAG-124, LandUpdate808, Chaya_002) is a financially motivated cybercrime operation active since at least May 2024. Its primary role is IAB: the goal is not to deliver the final payload, but to establish highly durable remote access and then resell it to ransomware affiliates.

The group's traffic distribution system (TDS) runs mainly on compromised WordPress sites — obtained through vulnerable/misconfigured plugins, stolen or purchased credentials, and phishing. Injected JavaScript profiles visitors and serves tailored lures.

Lure evolution — from ClickFix to Teams IT-helpdesk

The most striking thing about Woodgnat is how fast its social-engineering tradecraft evolves:

  • ClickFix (early 2025): fake errors / fake CAPTCHAs trick victims into pasting malicious scripts into the Windows Run dialog under the guise of "fixing a technical error."

  • FileFix (mid-2025): tricks victims into pasting and running commands directly in the File Explorer address bar.

  • CrashFix (early 2026): deliberately crashes the victim's browser, then tricks them into running code under the pretext of "fixing the crash." Huntress first flagged this variant in January 2026, using the malicious Chrome extension NexShield impersonating uBlock Origin Lite, distributed via malvertising.

  • DNS-based ClickFix: a separate variant runs commands that perform a DNS lookup to retrieve the next-stage payload — Microsoft described DNS being used as a "lightweight staging or signaling channel."

  • Teams IT-helpdesk (since ~April 2026): Woodgnat pivoted to impersonating an IT Support account sending external Microsoft Teams messages, walking victims through a "paste-and-run" sequence. Rapid7 and ReliaQuest reported that the operator rotated through multiple Microsoft 365 tenants to blunt reactive blocking, reaching persistence within minutes of the victim pasting a single PowerShell command. In every case, the endgame is getting the victim to run an attacker-supplied PowerShell command.

ModeloRAT — Woodgnat's clearest fingerprint

Woodgnat is most readily identified through ModeloRAT, typically delivered as a portable WinPython package (WPy64-31401) and run via a signed pythonw.exe interpreter — borrowing a legitimate signature to evade detection. C2 uses RC4 encryption and is built for resilience with multiple independent C2 paths on separate infrastructure and sequential failover. Non-domain-joined (WORKGROUP) hosts receive a more heavily obfuscated variant that uses a DGA (domain-generation algorithm) to cycle fresh C2 domains weekly — while the higher-value ModeloRAT payload is reserved for domain-joined corporate machines.

Other components in the chain: Node.exe (script host running attacker JavaScript), Finger.exe (LOLBin retrieving obfuscated payloads since late 2025), GateKeeper (.NET payload with layered encryption + anti-analysis + fingerprinting), and the commodity loaders MintsLoader and D3F@ck Loader.

Assessment

The trend to watch here is IABs developing their own custom tooling rather than relying purely on living-off-the-land. Previously, ransomware groups and access brokers favored LOLBins and dual-use tools to cut cost and exposure. Woodgnat plausibly standing behind both ModeloRAT and Mistic points to a group with high-end stealthy-RAT development skills — and the line between "access seller" and "ransomware deployer" is increasingly blurred.

For enterprise environments in Vietnam, the fake-IT-Support external Microsoft Teams chat vector is an immediate concern: many organizations run M365 without tightening external chat policy, and a "call IT for a quick fix" culture makes the helpdesk pretext land easily. This is no longer hypothetical — it has been observed in the wild since April 2026.

IOCs (Indicators of Compromise)

Source: Symantec Threat Hunter Team.

File indicators (SHA256)

1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984  Backdoor.Mistic - endpointdlp.dll
34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc  Fake lock screen - f.dll
3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be  Backdoor.Mistic - aeff97fe.msi
59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712  Loader for backdoor - version.dll
8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235  Likely privilege escalation - n.dll
afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c  Backdoor.Mistic - endpointdlp.dll
db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5  Backdoor.Mistic - endpointdlp.dll
f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e  Backdoor.Mistic - 48b47c0.msi
fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a  Backdoor.Mistic - endpointdlp.dll

Network indicators

142.93.242.144
144.31.53.78
198.13.159.44
199.91.221.42
authorized-logins.net
b6w9m2z5x8q1v3k.top
carrolc.com
cj06y9v4xab.com
cwrtwright.com
defs.updater-worelos.com
ftps.upd-domain-goloro.com
grande-luna.top
hxxp://thomphon.com/update.msi
human-check.top
mail.authorized-logins.net
mailes.upd-domain-goloro.com
mails.updater-worelos.com
mueleer.com
nano.upscale-kolo.com
oeannon.com
php.authorized-logins.net
rotoa-upda-lo.com
sql-updater-service.com
sss.authorized-logins.net
thomphon.com
upd-domain-goloro.com
update.update-fall.com
updater-worelos.com
upscale-kolo.com
w3xasv14culvnqj.top

Recommendations

  • Block paste-and-run: disable/log the Run dialog via GPO, monitor explorer.exe/Teams.exe spawning powershell.exe; tighten external Microsoft Teams chat and warn users about "IT Support" pretexts.

  • Side-loading detection: alert when MpExtMs.exe loads version.dll/EndpointDlp.dll outside standard Microsoft paths; hunt for pythonw.exe running from anomalous portable-WinPython directories.

  • Persistence & recon: sweep for fake AnyDesk/Splashtop/Comms Run-keys, unusual scheduled tasks and VBScript launchers; monitor net.exe enumeration chains and Kerberoasting (SPN) queries.

  • Ingest the IOCs above into SIEM/EDR and block network indicators at the firewall/DNS.


References

More from this blog

F

FPT IS Security

880 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.