Emergence of Mistic Backdoor Linked to Ransomware Access Broker KongTuke

The Mistic backdoor has been identified as a new threat in cybercrime campaigns since April 2026, targeting sectors such as insurance, education, and IT. It is linked to the initial access broker KongTuke, which sells network access to ransomware groups like Qilin and Black Basta. Mistic is often deployed alongside the ModeloRAT and is delivered through social engineering tactics or multi-stage infection chains, including the use of legitimate executables like MpExtMs.exe for DLL sideloading. The backdoor allows attackers to execute remote payloads in memory, enhancing stealth and persistence. Researchers at Symantec have observed its deployment in various organizations, emphasizing its stealthy nature and long-term access capabilities. The malware's design includes features like a kill switch and the ability to load Beacon Object Files (BOFs), which helps it evade detection. Current investigations continue to assess the full scope of its impact.

Key Points: • Mistic backdoor linked to KongTuke has been active since April 2026. • Targets include insurance, education, and IT sectors, using social engineering for delivery. • Features include memory execution and a kill switch for stealthy long-term access.