Inside Mistic, the New Stealth Backdoor in Ransomware Intrusions

Pierluigi Paganini
June 25, 2026

Mistic is a stealthy backdoor used by KongTuke-linked actors to keep long-term access in ransomware-targeted networks.

Mistic is the kind of backdoor that tells you the operator wants time, not noise. Symantec security researchers say it has shown up in financially motivated attacks against insurance, education, IT, and professional services firms, and they link it to KongTuke, also known as Woodgnat, an access broker active since at least 2024. That group has a clear business model: break in, hold the door open, and sell that access to ransomware crews like Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

The infection path looks built for camouflage. In the cases Symantec analyzed, the attack started when the legitimate MpExtMs.exe process loaded a malicious DLL named version.dll, which then dropped the Mistic loader, EndpointDlp.dll. The name looks close enough to Microsoft security tooling to be useful, and that’s probably the point. A separate .NET DLL also showed a fake login screen to steal credentials, because apparently criminals still enjoy borrowing your own trust against you.

“Mistic was side-loaded through MpExtMs.exe, a legitimate file, and loaded from a DLL named EndpointDlp.dll, a name associated with Microsoft endpoint-security tooling. This would help the backdoor blend in with trusted software.” reads the report published by Symantec. “The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access.”

Symantec says Mistic has been used since April, and in at least one case it arrived right after ModeloRAT, another KongTuke-linked backdoor that has spread through Microsoft Teams social engineering. That sort of sequencing is not subtle, but it works often enough that people keep doing it.

Once loaded, Mistic connects to its command-and-control server and waits for instructions. It can upload, download, move, rename, delete files, create folders, change how often it checks in, run code directly in memory, and remove itself from the host. That’s a decent toolbox for a backdoor that’s trying not to look like one.

Zscaler first analyzed the backdoor tracks the same malware family as MTLBackdoor and says it was delivered in a multi-stage ClickFix chain in May.

“A relatively new backdoor that we have called Backdoor.Mistic has been deployed in multiple attacks since April 2026. The backdoor was first documented by Zscaler (which tracks it as MLTBackdoor) earlier this month.” continues the report. “Mistic may be linked to the financially motivated initial access broker (IAB) tracked publicly as KongTuke (which we track as Woodgnat) and it was used in one intrusion that also involved the group’s ModeloRAT remote access trojan.”

Mistic can upload, download, move, delete files, create folders, adjust command-check intervals, and even remove itself through a built-in kill switch. In a recent attack, attackers used DLL sideloading with a legitimate Microsoft executable to load the malware and a credential-stealing component that displayed a fake login screen. The campaign also leveraged common tools such as PowerShell, Curl, Certutil, WMIC, Net.exe and Reg.exe for reconnaissance, persistence, credential theft and lateral movement. Its in-memory execution and self-deletion capabilities make it particularly effective for long-term covert access.

“The fact that Mistic executes in memory and also has a kill switch built in means that it is very stealthy, potentially allowing for long-term, stealthy access for attackers.” continues the report.

KongTuke has also been seen using a wider kit, including WinPython, Node.js, finger.exe, a fake NexShield browser extension, the encrypted GateKeeper .NET payload, and loaders like MintsLoader and D3F@ck Loader. That mix matters because it shows an operator who values flexibility and wants to swap delivery methods fast. In other words, they’re not married to one trick, which is usually a bad sign for the people on the receiving end.

The growing use of custom malware in ransomware operations marks a shift from traditional reliance on legitimate system tools. Backdoor.Mistic appears to fit this trend and is likely developed by access brokers linked to ransomware affiliates rather than a ransomware gang itself. Its stealth features, along with Woodgnat’s suspected role in developing ModeloRAT, highlight a highly skilled group that could expand both its toolset and criminal partnerships.

“The stealth of the backdoor is also notable, as is the fact that Woodgnat is also possibly behind the development of ModeloRAT, indicating a group that is quite highly skilled at the development of stealthy remote access tools.” concludes the report. “This indicates it is a group that should be actively tracked as it could continue to develop custom tools, as well as widen the pool of ransomware actors it works with.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon