**Mistic** is a newly discovered backdoor believed to be connected to **KongTuke** (also tracked as **Woodgnat**), an initial access broker active since at least 2024. **KongTuke** specializes in compromising corporate networks and selling this access to prominent ransomware groups, including **Qilin**, **Interlock**, **Rhysida**, **Akira**, **8Base**, and **Black Basta**. According to researchers at **Symantec**, **Mistic** has been deployed in intrusions since April. In some instances, it was observed shortly after **ModeloRAT**, another backdoor attributed to **KongTuke** and often delivered via social engineering attacks conducted over **Microsoft Teams**. **Symantec** posits that **Mistic** is a recently developed, highly stealthy backdoor engineered for long-term persistence within compromised networks. ### Mistic Attack Chain **Symantec**'s investigations reveal that the infection typically begins with the execution of a legitimate executable, `MpExtMs.exe`, to side-load a malicious DLL named `version.dll`. This DLL acts as the loader for **Mistic** itself, which is disguised as `EndpointDlp.dll`. The choice of filename for **Mistic** is noteworthy, as it mimics **Microsoft** endpoint security tooling, allowing the malware to blend in with trusted software on the host. A separate .NET DLL is also loaded, which presents a fake login screen to the victim, designed to steal their account credentials. Once loaded, **Mistic** establishes communication with its command-and-control (C2) infrastructure, enabling it to receive commands from the operator. **Symantec** has identified the following capabilities: * Upload, download, move, rename, and delete files, as well as create folders. * Modify the frequency at which **Mistic** checks for commands from the C2 server. * Execute code received from the C2 directly in memory. * Terminate itself and delete associated files from the host. **Symantec**'s analysis emphasizes **Mistic**'s design for stealth, allowing attackers to maintain a persistent foothold within compromised networks for extended periods. "The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access," the researchers stated. ### Initial Access and Advanced Capabilities While **Symantec** did not detail the initial infection vector for **Mistic**, **KongTuke** has a history of using **ClickFix** and its variants, **FileFix** and **CrashFix**, since early 2025 to deliver **ModeloRAT**. In a recent technical report, cloud security company **Zscaler**, which tracks **Mistic** as **MTLBackdoor**, confirmed its delivery as a payload in a multi-stage **ClickFix** infection chain in May. **Zscaler** researchers highlight a "powerful feature" of **MTLBackdoor**: its ability to load **Beacon Object Files (BOFs)** to expand its capabilities. **BOFs** are small C programs that execute directly in the memory of a C2 process, leaving no disk footprint and thus evading detection by security agents. This technique is commonly employed in red team tools like **Cobalt Strike** for post-exploitation activities. **Symantec** believes that **Mistic** underscores the growing trend of custom tools in ransomware attacks, even though this particular backdoor appears to be developed by an initial access broker with strong ties to the ransomware ecosystem. **KongTuke** is known for leveraging a diverse array of tools, including legitimate runtimes like **WinPython** and **Node.js** for malicious code execution, `finger.exe` to retrieve obfuscated payloads, the fake **NexShield** browser extension, the encrypted **GateKeeper** .NET payload, and malware loaders such as **MintsLoader** and **D3F@ck Loader** to deliver additional payloads. Both **Zscaler** and **Symantec** have provided indicators of compromise for the **Mistic**/**MTLBackdoor** malware, underscoring its stealthy nature and extensible functionality.