Full Report
Stealthy new backdoor used in cybercrime intrusions since April 2026 may be associated with Woodgnat (aka KongTuke), an initial access broker whose ModeloRAT toolkit has fed Qilin and other ransomware operations.
Analysis Summary
# Tool/Technique: Backdoor.Mistic (aka MLTBackdoor)
## Overview
Backdoor.Mistic is a stealthy, custom backdoor identified in April 2026. It is primarily used by initial access brokers (IABs) to establish persistent, low-visibility access to corporate networks before selling that access to ransomware affiliates. It is distinguished by its ability to execute payloads entirely in memory and its use of legitimate software for side-loading to evade detection.
## Technical Details
- **Type:** Malware family (Backdoor)
- **Platform:** Windows
- **Capabilities:** Remote code execution (in-memory), file manipulation, persistence, and self-termination.
- **First Seen:** April 2026
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1189 - Drive-by Compromise (Inferred from IAB distribution)
- **TA0003 - Persistence / TA0004 - Privilege Escalation**
- T1574.002 - Hijack Execution Flow: DLL Side-Loading
- **TA0005 - Defense Evasion**
- T1027.004 - Obfuscated Files or Information: Compile After Delivery (via MSI)
- T1055 - Process Injection (In-memory execution)
- T1070 - Indicator Removal on Host (Self-deletion/Kill switch)
- T1112 - Modify Registry
- **TA0006 - Credential Access**
- T1110 - Brute Force (Credential stealer with fake login screens)
- **TA0011 - Command and Control**
- T1105 - Ingress Tool Transfer
## Functionality
### Core Capabilities
- **File System Interaction:** Upload, download, move, rename, and delete files; directory creation.
- **C2 Communication:** Adjustable polling frequency for checking commands.
- **Persistence:** Established via DLL side-loading using legitimate binaries like `MpExtMs.exe`.
### Advanced Features
- **Fileless Execution:** Capable of running payloads directly in memory without writing files to the disk, significantly reducing the forensic footprint.
- **Kill Switch:** Includes a built-in command to terminate its process and delete its own components from the host.
- **Masquerading:** Uses filenames associated with Microsoft security products (e.g., `EndpointDlp.dll`) to blend into legitimate system activity.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984` (endpointdlp.dll)
- `59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712` (version.dll - Loader)
- `3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be` (aeff97fe.msi)
- `34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc` (f.dll - Fake login)
- **File Names:**
- `EndpointDlp.dll`
- `version.dll`
- `MpExtMs.exe` (Legitimate binary used for side-loading)
- **Network Indicators:**
- 142.93.242[.]144
- authorized-logins[.]net
- defs.updater-worelos[.]com
- upscale-kolo[.]com
- thomphon[.]com/update.msi
- **Behavioral Indicators:**
- Hooking of `GetModuleFileNameW` and `LoadLibraryW`.
- Deployment of fake .NET credential-stealing login screens.
## Associated Threat Actors
- **Woodgnat (aka KongTuke):** An Initial Access Broker known for feeding ransomware operations including **Qilin**, **Akira**, **Black Basta**, **Rhysida**, and **8Base**.
## Detection Methods
- **Signature-based:** Security software should look for the SHA256 hashes of the `EndpointDlp.dll` and the associated MSI installers.
- **Behavioral:** Monitor for common legitimate binaries (like `MpExtMs.exe`) loading unsigned or unexpected DLLs from non-standard paths.
- **Memory Scanning:** Since the tool executes payloads in memory, volatile memory analysis may identify the injected code.
## Mitigation Strategies
- **DLL Sideloading Protection:** Implement strictly enforced code integrity policies (e.g., Windows Defender Application Control) to prevent the loading of unsigned DLLs.
- **Endpoint Hardening:** Enable Attack Surface Reduction (ASR) rules to block process injections and unauthorized credential-stealing attempts.
- **Monitoring:** Track the use of administrative tools like `certutil`, `wmic`, and `powershell` by non-administrative users.
## Related Tools/Techniques
- **ModeloRAT:** A Python-based RAT often deployed alongside Mistic by Woodgnat.
- **Node.js activity:** Similar infrastructure observed using Node.js tools.
- **MLTBackdoor:** The name used by Zscaler to track this same threat.