# Mistic Backdoor: KongTuke's New Weapon in the ClickFix – ModeloRAT – Ransomware Ecosystem

## Executive Summary

A new backdoor named **Backdoor.Mistic** (also [tracked by Zscaler as MLTBackdoor](https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor)) has surfaced in intrusions since **April 2026**, hitting organizations across insurance, education, IT, and professional services. The [Symantec and Carbon Black Threat Hunter Team](https://www.security.com/threat-intelligence/new-mistic-backdoor-modeloRAT) assesses — with **low confidence** — that Mistic may be linked to **Woodgnat** (publicly tracked as **KongTuke**), an initial access broker (IAB) that sells access to ransomware crews including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

The core business risk: this is not a direct ransomware event, but the **durable, low-visibility access** stage that gets resold. A compromised organization may see no signs for weeks — until an affiliate buys the access and drops ransomware. Targeting is **opportunistic**: the attackers cast a wide net, then decide which victims are worth selling. The single most important action to take now: **block "paste-and-run"** (pasting PowerShell into the Run dialog or File Explorer), the shared initial vector across this entire ecosystem.

## Backdoor.Mistic — engineered to disappear

Mistic is built around a low-visibility philosophy. It [runs payloads directly in memory](https://www.security.com/threat-intelligence/new-mistic-backdoor-modeloRAT) with no file written to disk, and includes a **kill switch** to terminate and delete itself. This feature set is consistent with an operator seeking long-term access without leaving forensic traces.

Core capabilities:

*   Upload/download a file
    
*   Move / rename / delete a file
    
*   Create a folder
    
*   Modify its polling interval (how often it checks C2 for commands) — reducing network noise on demand
    
*   Execute code received from C2 **directly in memory**, leaving no disk artifacts
    
*   **Load Beacon Object Files (BOFs)** to dynamically expand its capabilities — *per* [*The Hacker News*](https://thehackernews.com/2026/06/new-mistic-backdoor-linked-to-kongtuke.html)*; this detail does not appear in Symantec's original report*
    
*   Terminate and delete itself (kill switch) The BOF-loading capability is notable: it is a technique associated with high-end C2 frameworks like Cobalt Strike, allowing post-exploitation code to run inside the beacon process without spawning a new one — a signal of the author's development maturity.
    

### Delivery chain — DLL side-loading disguised as Microsoft tooling

In [an attack investigated by the Symantec Threat Hunter Team](https://sed-cms.broadcom.com/system/files/threat-hunter-alert-attachments/2026-05/2026_05_28_Threat_Alert_MSI_Backdoor.pdf), Mistic was launched via DLL side-loading, abusing a legitimate file as its carrier:

1.  `MpExtMs.exe` — a **legitimate** file — is used to side-load malicious DLLs.
    
2.  `version.dll` — the **loader** — hooks two APIs: `GetModuleFileNameW` and `LoadLibraryW`.
    
    *   `GetModuleFileNameW` hook: ensures the `mpextms.exe` path points to the legitimate original location (defeating path checks).
        
    *   `LoadLibraryW` hook: forces the loader to load the malicious `EndpointDlp.dll` instead of the real DLL.
        
3.  `EndpointDlp.dll` — this **is Backdoor.Mistic**, **deliberately named** to impersonate Microsoft endpoint-security tooling and blend in with trusted software.
    
4.  A **.NET credential stealer** DLL is also loaded, displaying a fake login/lock screen to trick users into entering their credentials. Supporting LOLBins seen in the same attack: `curl` (data transfer / exfil), `reg.exe` (registry edits), `net.exe` (network resource management), `PowerShell` (payload download, traversal, recon), `certutil` (decoding / file download / root cert install), and `WMIC` (remote command execution).
    

## Woodgnat / KongTuke — the access broker behind it

**Woodgnat** (public aliases: **KongTuke, 404 TDS, TAG-124, LandUpdate808, Chaya\_002**) is a financially motivated cybercrime operation [active since at least May 2024](https://www.security.com/threat-intelligence/new-mistic-backdoor-modeloRAT). Its primary role is IAB: the goal is not to deliver the final payload, but to establish highly durable remote access and then **resell** it to ransomware affiliates.

The group's traffic distribution system (TDS) runs mainly on **compromised WordPress sites** — obtained through vulnerable/misconfigured plugins, stolen or purchased credentials, and phishing. Injected JavaScript profiles visitors and serves tailored lures.

### Lure evolution — from ClickFix to Teams IT-helpdesk

The most striking thing about Woodgnat is how fast its social-engineering tradecraft evolves:

*   **ClickFix (early 2025):** fake errors / fake CAPTCHAs trick victims into pasting malicious scripts into the **Windows Run dialog** under the guise of "fixing a technical error."
    
*   **FileFix (mid-2025):** tricks victims into pasting and running commands directly in the **File Explorer address bar**.
    
*   **CrashFix (early 2026):** deliberately crashes the victim's browser, then tricks them into running code under the pretext of "fixing the crash." [Huntress first flagged this variant in January 2026](https://thehackernews.com/2026/01/crashfix-chrome-extension-delivers.html), using the malicious Chrome extension **NexShield** impersonating uBlock Origin Lite, distributed via malvertising.
    
*   **DNS-based ClickFix:** a separate variant runs commands that perform a DNS lookup to retrieve the next-stage payload — [Microsoft described](https://thehackernews.com/2026/02/microsoft-discloses-dns-based-clickfix.html) DNS being used as a "lightweight staging or signaling channel."
    
*   **Teams IT-helpdesk (since ~April 2026):** Woodgnat pivoted to impersonating an **IT Support account sending external Microsoft Teams messages**, walking victims through a "paste-and-run" sequence. [Rapid7 and ReliaQuest reported](https://reliaquest.com/blog/threat-spotlight-help-desk-lures-drop-kongtukes-evolved-modelorat/) that the operator rotated through multiple Microsoft 365 tenants to blunt reactive blocking, reaching persistence within minutes of the victim pasting a single PowerShell command. In every case, the endgame is getting the victim to run an attacker-supplied PowerShell command.
    

### ModeloRAT — Woodgnat's clearest fingerprint

Woodgnat is most readily identified through **ModeloRAT**, typically delivered as a **portable WinPython package** (`WPy64-31401`) and run via a **signed** `pythonw.exe` **interpreter** — borrowing a legitimate signature to evade detection. C2 uses **RC4 encryption** and is built for resilience with [multiple independent C2 paths on separate infrastructure and sequential failover](https://www.rapid7.com/blog/post/tr-it-support-dissecting-modelorat-campaign-microsoft-teams-compromise/). **Non-domain-joined** (WORKGROUP) hosts receive a more heavily obfuscated variant that uses a **DGA** (domain-generation algorithm) to cycle fresh C2 domains weekly — while the higher-value ModeloRAT payload is reserved for domain-joined corporate machines.

Other components in the chain: `Node.exe` (script host running attacker JavaScript), `Finger.exe` (LOLBin retrieving obfuscated payloads since late 2025), `GateKeeper` (.NET payload with layered encryption + anti-analysis + fingerprinting), and the commodity loaders **MintsLoader** and **D3F@ck Loader**.

## Assessment

The trend to watch here is **IABs developing their own custom tooling** rather than relying purely on living-off-the-land. Previously, ransomware groups and access brokers favored LOLBins and dual-use tools to cut cost and exposure. Woodgnat plausibly standing behind **both ModeloRAT and Mistic** points to a group with high-end stealthy-RAT development skills — and the line between "access seller" and "ransomware deployer" is increasingly blurred.

For enterprise environments in Vietnam, the **fake-IT-Support external Microsoft Teams chat** vector is an immediate concern: many organizations run M365 without tightening external chat policy, and a "call IT for a quick fix" culture makes the helpdesk pretext land easily. This is no longer hypothetical — it has been observed in the wild since April 2026.

## IOCs (Indicators of Compromise)

Source: [Symantec Threat Hunter Team](https://www.security.com/threat-intelligence/new-mistic-backdoor-modeloRAT).

**File indicators (SHA256)**

```plaintext
1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984  Backdoor.Mistic - endpointdlp.dll
34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc  Fake lock screen - f.dll
3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be  Backdoor.Mistic - aeff97fe.msi
59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712  Loader for backdoor - version.dll
8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235  Likely privilege escalation - n.dll
afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c  Backdoor.Mistic - endpointdlp.dll
db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5  Backdoor.Mistic - endpointdlp.dll
f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e  Backdoor.Mistic - 48b47c0.msi
fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a  Backdoor.Mistic - endpointdlp.dll
```

**Network indicators**

```plaintext
142.93.242.144
144.31.53.78
198.13.159.44
199.91.221.42
authorized-logins.net
b6w9m2z5x8q1v3k.top
carrolc.com
cj06y9v4xab.com
cwrtwright.com
defs.updater-worelos.com
ftps.upd-domain-goloro.com
grande-luna.top
hxxp://thomphon.com/update.msi
human-check.top
mail.authorized-logins.net
mailes.upd-domain-goloro.com
mails.updater-worelos.com
mueleer.com
nano.upscale-kolo.com
oeannon.com
php.authorized-logins.net
rotoa-upda-lo.com
sql-updater-service.com
sss.authorized-logins.net
thomphon.com
upd-domain-goloro.com
update.update-fall.com
updater-worelos.com
upscale-kolo.com
w3xasv14culvnqj.top
```

## Recommendations

*   **Block paste-and-run:** disable/log the Run dialog via GPO, monitor `explorer.exe`/`Teams.exe` spawning `powershell.exe`; tighten **external Microsoft Teams chat** and warn users about "IT Support" pretexts.
    
*   **Side-loading detection:** alert when `MpExtMs.exe` loads `version.dll`/`EndpointDlp.dll` outside standard Microsoft paths; hunt for `pythonw.exe` running from anomalous portable-WinPython directories.
    
*   **Persistence & recon:** sweep for fake `AnyDesk`/`Splashtop`/`Comms` Run-keys, unusual scheduled tasks and VBScript launchers; monitor `net.exe` enumeration chains and Kerberoasting (SPN) queries.
    
*   **Ingest the IOCs** above into SIEM/EDR and block network indicators at the firewall/DNS.
    

* * *

## References

*   Symantec / Carbon Black Threat Hunter Team — [*Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker*](https://www.security.com/threat-intelligence/new-mistic-backdoor-modeloRAT)
    
*   The Hacker News — [*New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns*](https://thehackernews.com/2026/06/new-mistic-backdoor-linked-to-kongtuke.html)
    
*   Zscaler ThreatLabz — [*Technical Analysis of MLTBackdoor*](https://www.zscaler.com/blogs/security-research/technical-analysis-mltbackdoor)
    
*   Rapid7 — [*IT Support: Dissecting the ModeloRAT Campaign via Microsoft Teams Compromise*](https://www.rapid7.com/blog/post/tr-it-support-dissecting-modelorat-campaign-microsoft-teams-compromise/)
    
*   ReliaQuest — [*Threat Spotlight: Help Desk Lures Drop KongTuke's Evolved ModeloRAT*](https://reliaquest.com/blog/threat-spotlight-help-desk-lures-drop-kongtukes-evolved-modelorat/)
