Since April 2026, a new and highly stealthy backdoor named **Mistic** has emerged as a significant threat, primarily targeting organizations across various industries.  ### Mistic's Modus Operandi **Symantec** and **Carbon Black's Threat Hunter Team** have identified **Mistic**, also tracked as **MLTBackdoor**, as a tool deployed by **KongTuke**. This **IAB** is known for its role in establishing initial access for subsequent malicious activities, often involving ransomware. One of **Mistic**'s most notable features is its ability to execute payloads directly in memory, leaving no trace on disk. It also includes a self-deletion mechanism, indicating a clear intent for long-term, low-visibility access, as highlighted by **Broadcom's** cybersecurity teams. ### The ModeloRAT Connection **Mistic** is frequently dropped alongside **ModeloRAT**, a Python remote access trojan previously attributed to **KongTuke**. **ModeloRAT** first came to light in January 2026, when **Huntress** linked it to a **ClickFix** campaign dubbed **CrashFix**. In these attacks, actors used malicious **Google Chrome** extensions, masquerading as ad blockers, to intentionally crash victims' browsers and trick them into running arbitrary commands under the guise of security scans. Another **ClickFix** campaign involved using **Domain Name System (DNS)** lookups to retrieve next-stage payloads. **Microsoft** noted that this attack chain leverages **DNS** as a lightweight staging or signaling channel, further demonstrating the sophistication of **KongTuke's** methods. Earlier this month, **Zscaler ThreatLabz** also highlighted **Mistic's** use of **ClickFix** as a delivery vector, attributing the activity to a ransomware-related threat actor aiming to establish a foothold for lateral movement. ### Evasion and Capabilities **Broadcom's** latest findings indicate that **Mistic** employs DLL side-loading techniques, utilizing trusted **Microsoft** endpoint security tooling like "MpExtMs.exe" to blend in and evade detection. Operating in memory, the backdoor possesses a wide array of capabilities: * Upload or download files * Move, rename, or delete files * Create folders * Modify the time interval for polling remote servers for commands * Execute code received from Command and Control (**C2**) in memory without disk artifacts * Load **Beacon Object Files (BOFs)** to dynamically expand its functionality * Terminate and delete itself ### Opportunistic Targeting and Ransomware Links **Symantec** and **Carbon Black** suggest that the targeting appears opportunistic, with attackers casting a wide net to identify organizations whose access could be sold. **ModeloRAT** has been observed in attacks deploying **Qilin** ransomware, underscoring the potential for significant financial impact. **KongTuke** is known to operate a traffic distribution system (**TDS**) built on compromised **WordPress** sites, serving various lures to direct unsuspecting visitors to malware. Recently, **Rapid7** and **ReliaQuest** revealed that the threat actor has adapted its tactics, sending fake IT Support messages via **Microsoft Teams** to initiate an attack chain leading to **ModeloRAT** deployment. **Broadcom** emphasizes the backdoor's stealth and the high skill level of **Woodgnat** (likely a developer behind **ModeloRAT** and **Mistic**) in creating sophisticated remote access tools. The increasing use of custom tools in ransomware attacks, often developed by access brokers working with ransomware affiliates, marks a continuing trend in the evolving threat landscape.