- A new backdoor named Mistic has been deployed in financially motivated attacks across insurance, education, IT, and professional services since April 2026.
- The backdoor is linked to the initial access broker KongTuke and is distributed via ClickFix campaigns, often alongside the ModeloRAT remote access trojan.
- Mistic is designed for stealth, executing payloads directly in memory with a self-deletion feature to avoid detection and maintain long-term access.
- Targeting appears opportunistic, with attackers potentially assessing which compromised organizations to sell access to, and the campaign has been linked to subsequent Qilin ransomware deployment.
Cybersecurity researchers have uncovered a stealthy new backdoor called Mistic being used in suspected financially motivated attacks against organizations in insurance, education, IT, and professional services since April 2026. The malware, also tracked as MLTBackdoor, is linked to the initial access broker KongTuke and was dropped alongside the Python-based ModeloRAT, according to a report from Broadcom’s cybersecurity teams shared with The Hacker News.
The attackers primarily used malicious ClickFix campaigns, which trick users into running commands after a browser crash, to deliver their payload. Zscaler ThreatLabz highlighted this delivery method earlier in June 2026, attributing it to a ransomware-related threat actor.
Consequently, the backdoor employs advanced techniques like DLL side-loading through a trusted Microsoft security tool to avoid raising alarms. It runs entirely in memory, granting it capabilities to upload/download files, execute remote code, and even load Beacon Object Files to expand its functions.
“The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access,” the researchers noted. The targeting appears opportunistic, with the attackers casting a wide net to later sell access, Symantec and Carbon Black said, adding that ModeloRAT has been seen in attacks that deployed Qilin ransomware.
Meanwhile, the KongTuke group has evolved its tactics, recently using a fake IT Support account to send malicious Microsoft Teams messages. “The use of custom tools in ransomware attacks is becoming a more common phenomenon,” Broadcom stated, suggesting Mistic continues this trend, likely developed by access brokers for ransomware affiliates.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
