New Mistic Backdoor Linked to Ransomware Access Broker Activity

A new backdoor known as Mistic has been identified in cyberattacks targeting various sectors since April 2026. It is associated with the initial access broker KongTuke, also known as Woodgnat, which sells access to ransomware groups like Qilin and Interlock. Mistic is delivered through DLL sideloading, using a legitimate Microsoft Defender executable (MpExtMs.exe) to load a malicious DLL (EndpointDlp.dll) directly into memory, avoiding detection. This backdoor supports standard functionalities like file manipulation and remote payload execution without leaving traces on disk. The attacks have affected organizations in insurance, education, IT, and professional services. Symantec's Threat Hunter Team has observed Mistic's deployment alongside ModeloRAT, enhancing the stealth and persistence of these operations. The malware's design emphasizes long-term access, with features like a kill switch for self-deletion.

Key Points: • Mistic backdoor linked to ransomware broker KongTuke has been active since April 2026. • The malware is delivered via DLL sideloading using legitimate Microsoft Defender executables. • Mistic supports stealthy operations, executing payloads in memory without leaving traces on disk.