Mistic Backdoor: KongTuke's New Weapon in the ClickFix – ModeloRAT – Ransomware Ecosystem

Executive Summary
A new backdoor named Backdoor.Mistic (also tracked by Zscaler as MLTBackdoor) has surfaced in intrusions since April 2026, hitting organizations across insurance, education, IT, and professional services. The Symantec and Carbon Black Threat Hunter Team assesses — with low confidence — that Mistic may be linked to Woodgnat (publicly tracked as KongTuke), an initial access broker (IAB) that sells access to ransomware crews including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
The core business risk: this is not a direct ransomware event, but the durable, low-visibility access stage that gets resold. A compromised organization may see no signs for weeks — until an affiliate buys the access and drops ransomware. Targeting is opportunistic: the attackers cast a wide net, then decide which victims are worth selling. The single most important action to take now: block "paste-and-run" (pasting PowerShell into the Run dialog or File Explorer), the shared initial vector across this entire ecosystem.
Backdoor.Mistic — engineered to disappear
Mistic is built around a low-visibility philosophy. It runs payloads directly in memory with no file written to disk, and includes a kill switch to terminate and delete itself. This feature set is consistent with an operator seeking long-term access without leaving forensic traces.
Core capabilities:
Upload/download a file
Move / rename / delete a file
Create a folder
Modify its polling interval (how often it checks C2 for commands) — reducing network noise on demand
Execute code received from C2 directly in memory, leaving no disk artifacts
Load Beacon Object Files (BOFs) to dynamically expand its capabilities — per The Hacker News; this detail does not appear in Symantec's original report
Terminate and delete itself (kill switch) The BOF-loading capability is notable: it is a technique associated with high-end C2 frameworks like Cobalt Strike, allowing post-exploitation code to run inside the beacon process without spawning a new one — a signal of the author's development maturity.
Delivery chain — DLL side-loading disguised as Microsoft tooling
In an attack investigated by the Symantec Threat Hunter Team, Mistic was launched via DLL side-loading, abusing a legitimate file as its carrier:
MpExtMs.exe— a legitimate file — is used to side-load malicious DLLs.version.dll— the loader — hooks two APIs:GetModuleFileNameWandLoadLibraryW.GetModuleFileNameWhook: ensures thempextms.exepath points to the legitimate original location (defeating path checks).LoadLibraryWhook: forces the loader to load the maliciousEndpointDlp.dllinstead of the real DLL.
EndpointDlp.dll— this is Backdoor.Mistic, deliberately named to impersonate Microsoft endpoint-security tooling and blend in with trusted software.A .NET credential stealer DLL is also loaded, displaying a fake login/lock screen to trick users into entering their credentials. Supporting LOLBins seen in the same attack:
curl(data transfer / exfil),reg.exe(registry edits),net.exe(network resource management),PowerShell(payload download, traversal, recon),certutil(decoding / file download / root cert install), andWMIC(remote command execution).
Woodgnat / KongTuke — the access broker behind it
Woodgnat (public aliases: KongTuke, 404 TDS, TAG-124, LandUpdate808, Chaya_002) is a financially motivated cybercrime operation active since at least May 2024. Its primary role is IAB: the goal is not to deliver the final payload, but to establish highly durable remote access and then resell it to ransomware affiliates.
The group's traffic distribution system (TDS) runs mainly on compromised WordPress sites — obtained through vulnerable/misconfigured plugins, stolen or purchased credentials, and phishing. Injected JavaScript profiles visitors and serves tailored lures.
Lure evolution — from ClickFix to Teams IT-helpdesk
The most striking thing about Woodgnat is how fast its social-engineering tradecraft evolves:
ClickFix (early 2025): fake errors / fake CAPTCHAs trick victims into pasting malicious scripts into the Windows Run dialog under the guise of "fixing a technical error."
FileFix (mid-2025): tricks victims into pasting and running commands directly in the File Explorer address bar.
CrashFix (early 2026): deliberately crashes the victim's browser, then tricks them into running code under the pretext of "fixing the crash." Huntress first flagged this variant in January 2026, using the malicious Chrome extension NexShield impersonating uBlock Origin Lite, distributed via malvertising.
DNS-based ClickFix: a separate variant runs commands that perform a DNS lookup to retrieve the next-stage payload — Microsoft described DNS being used as a "lightweight staging or signaling channel."
Teams IT-helpdesk (since ~April 2026): Woodgnat pivoted to impersonating an IT Support account sending external Microsoft Teams messages, walking victims through a "paste-and-run" sequence. Rapid7 and ReliaQuest reported that the operator rotated through multiple Microsoft 365 tenants to blunt reactive blocking, reaching persistence within minutes of the victim pasting a single PowerShell command. In every case, the endgame is getting the victim to run an attacker-supplied PowerShell command.
ModeloRAT — Woodgnat's clearest fingerprint
Woodgnat is most readily identified through ModeloRAT, typically delivered as a portable WinPython package (WPy64-31401) and run via a signed pythonw.exe interpreter — borrowing a legitimate signature to evade detection. C2 uses RC4 encryption and is built for resilience with multiple independent C2 paths on separate infrastructure and sequential failover. Non-domain-joined (WORKGROUP) hosts receive a more heavily obfuscated variant that uses a DGA (domain-generation algorithm) to cycle fresh C2 domains weekly — while the higher-value ModeloRAT payload is reserved for domain-joined corporate machines.
Other components in the chain: Node.exe (script host running attacker JavaScript), Finger.exe (LOLBin retrieving obfuscated payloads since late 2025), GateKeeper (.NET payload with layered encryption + anti-analysis + fingerprinting), and the commodity loaders MintsLoader and D3F@ck Loader.
Assessment
The trend to watch here is IABs developing their own custom tooling rather than relying purely on living-off-the-land. Previously, ransomware groups and access brokers favored LOLBins and dual-use tools to cut cost and exposure. Woodgnat plausibly standing behind both ModeloRAT and Mistic points to a group with high-end stealthy-RAT development skills — and the line between "access seller" and "ransomware deployer" is increasingly blurred.
For enterprise environments in Vietnam, the fake-IT-Support external Microsoft Teams chat vector is an immediate concern: many organizations run M365 without tightening external chat policy, and a "call IT for a quick fix" culture makes the helpdesk pretext land easily. This is no longer hypothetical — it has been observed in the wild since April 2026.
IOCs (Indicators of Compromise)
Source: Symantec Threat Hunter Team.
File indicators (SHA256)
1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984 Backdoor.Mistic - endpointdlp.dll
34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc Fake lock screen - f.dll
3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be Backdoor.Mistic - aeff97fe.msi
59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712 Loader for backdoor - version.dll
8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235 Likely privilege escalation - n.dll
afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c Backdoor.Mistic - endpointdlp.dll
db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5 Backdoor.Mistic - endpointdlp.dll
f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e Backdoor.Mistic - 48b47c0.msi
fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a Backdoor.Mistic - endpointdlp.dll
Network indicators
142.93.242.144
144.31.53.78
198.13.159.44
199.91.221.42
authorized-logins.net
b6w9m2z5x8q1v3k.top
carrolc.com
cj06y9v4xab.com
cwrtwright.com
defs.updater-worelos.com
ftps.upd-domain-goloro.com
grande-luna.top
hxxp://thomphon.com/update.msi
human-check.top
mail.authorized-logins.net
mailes.upd-domain-goloro.com
mails.updater-worelos.com
mueleer.com
nano.upscale-kolo.com
oeannon.com
php.authorized-logins.net
rotoa-upda-lo.com
sql-updater-service.com
sss.authorized-logins.net
thomphon.com
upd-domain-goloro.com
update.update-fall.com
updater-worelos.com
upscale-kolo.com
w3xasv14culvnqj.top
Recommendations
Block paste-and-run: disable/log the Run dialog via GPO, monitor
explorer.exe/Teams.exespawningpowershell.exe; tighten external Microsoft Teams chat and warn users about "IT Support" pretexts.Side-loading detection: alert when
MpExtMs.exeloadsversion.dll/EndpointDlp.dlloutside standard Microsoft paths; hunt forpythonw.exerunning from anomalous portable-WinPython directories.Persistence & recon: sweep for fake
AnyDesk/Splashtop/CommsRun-keys, unusual scheduled tasks and VBScript launchers; monitornet.exeenumeration chains and Kerberoasting (SPN) queries.Ingest the IOCs above into SIEM/EDR and block network indicators at the firewall/DNS.
References
Symantec / Carbon Black Threat Hunter Team — Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker
The Hacker News — New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns
Zscaler ThreatLabz — Technical Analysis of MLTBackdoor
Rapid7 — IT Support: Dissecting the ModeloRAT Campaign via Microsoft Teams Compromise
ReliaQuest — Threat Spotlight: Help Desk Lures Drop KongTuke's Evolved ModeloRAT






