Stealthy 'Mistic' Backdoor Linked to Ransomware IAB KongTuke in Pre-Attack Campaigns

Executive Summary

Security researchers from Broadcom's Symantec and Carbon Black have uncovered a new, stealthy Windows backdoor dubbed "Mistic" (also known as MLTBackdoor). The malware has been deployed in targeted attacks against organizations in the insurance, education, and IT sectors since at least April 2026. The campaign is attributed with low-to-moderate confidence to KongTuke (also tracked as Woodgnat), a prolific initial access broker (IAB). This threat actor specializes in compromising corporate networks, establishing persistent access using custom tools like Mistic, and then selling that access to the highest bidder on the cybercrime marketplace. The buyers are often affiliates of major ransomware gangs, including Qilin, Akira, and Black Basta. The discovery of Mistic highlights the increasing specialization and professionalism within the ransomware ecosystem.

Threat Overview

KongTuke operates as a crucial link in the ransomware supply chain. Their business model is to gain and maintain access, not to deploy the ransomware themselves. The Mistic backdoor is a key tool in this operation.

Threat Actor: KongTuke (Woodgnat) is an IAB that acts as a force multiplier for ransomware groups, providing them with pre-compromised networks.
Malware: Mistic is a custom backdoor designed for stealth and long-term persistence. In at least one observed incident, it was deployed alongside another KongTuke tool, ModeloRAT.
Attack Chain: The typical infection chain for Mistic involves DLL side-loading. A legitimate, signed executable (e.g., MpExtMs.exe, a Microsoft binary) is placed in a directory alongside a malicious DLL named to appear legitimate (e.g., EndpointDlp.dll). When the executable is run, it loads the malicious DLL, which contains the Mistic backdoor.
Objectives: The primary goal of a Mistic deployment is not immediate damage but to establish a quiet, stable foothold. This allows KongTuke to maintain access over weeks or months until a suitable buyer (a ransomware affiliate) is found.

Technical Analysis

The Mistic backdoor employs several techniques to evade detection and analysis.

Initial Execution: The use of DLL side-loading is a classic defense evasion technique, T1574.002 - Hijack Execution Flow: DLL Side-Loading. By using a legitimate, signed executable to load the malware, it can bypass simple application allowlisting and reputation-based security controls.
Masquerading: The malicious DLL is named EndpointDlp.dll to masquerade as a component of Microsoft's endpoint security suite, a form of T1036.005 - Masquerading: Match Legitimate Name or Location.
In-Memory Operation: The backdoor primarily operates in memory, avoiding writing its core components or payloads to disk. This makes file-based scanning ineffective and complicates forensic analysis.
Defense Evasion: Mistic includes a kill switch that allows it to delete itself from the compromised system, further hindering investigation. This aligns with T1070.004 - Indicator Removal: File Deletion.
Command and Control: The backdoor communicates with its C2 server over standard web protocols (T1071.001 - Application Layer Protocol: Web Protocols) to receive commands and exfiltrate data, blending in with normal network traffic.

Impact Assessment

The direct impact of the Mistic backdoor itself is limited to reconnaissance and maintaining access. However, its role as a precursor to ransomware makes it an extremely high-threat indicator.

Inevitable Ransomware Attack: A Mistic infection should be considered a clear and present danger of an impending, enterprise-wide ransomware attack. The clock is ticking from the moment of infection until KongTuke sells the access.
Data Theft: Before selling access, IABs like KongTuke often perform their own reconnaissance and may steal valuable data to sell separately or as part of the access package.
High Remediation Cost: Eradicating a stealthy backdoor like Mistic can be difficult. Because it provides a persistent entry point, simply cleaning a ransomware infection is not enough; the original backdoor must be found and removed to prevent re-infection.
Business Disruption: The ultimate impact is the catastrophic business disruption, financial loss, and reputational damage caused by the eventual ransomware attack from groups like Qilin or Akira.

The presence of an IAB's tool like Mistic on a network is akin to finding a burglar has already picked your locks and is just waiting for the right time to enter.

Cyber Observables — Hunting Hints

Security teams can hunt for signs of Mistic and KongTuke activity:

Type

file_name

Value

EndpointDlp.dll

Description

The specific name of the malicious DLL used in the side-loading attack. Hunt for this file outside of its legitimate Microsoft directory.

Type

process_name

Value

MpExtMs.exe

Description

The legitimate Microsoft executable abused for side-loading. Its execution from an unusual directory (e.g., C:\ProgramData\) is highly suspicious.

Type

registry_key

Value

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Description

Monitor for new persistence entries pointing to the abused executable (MpExtMs.exe).

Type

command_line_pattern

Value

regsvr32 /s /n /i:<url> scrobj.dll

Description

KongTuke has been known to use this command to execute remote scripts, a technique associated with Squiblydoo.

Detection & Response

Behavioral Monitoring (D3-PA): The key to detecting this threat is behavioral analysis. Deploy an EDR solution to detect the DLL side-loading pattern: a known, signed executable loading a DLL from the same, non-standard directory. (D3FEND: D3-PA - Process Analysis)
Threat Intelligence: Ingest IOCs and threat intelligence related to KongTuke/Woodgnat into your SIEM and EDR. This includes known C2 domains, IP addresses, and file hashes for their tools.
Memory Analysis: Since Mistic operates in memory, periodic memory analysis or memory-scanning EDR capabilities may be required to detect the backdoor's presence on a running system.
Incident Response: If Mistic is detected, it must be treated as a critical incident and an active breach. The priority is to eradicate the backdoor, identify and close the initial access vector, and hunt for any other tools or persistence mechanisms the IAB may have deployed. All credentials on the compromised host and for the user account must be considered compromised.

Mitigation

Application Control: Implement application control policies that can prevent DLL side-loading. For example, a policy could prevent a specific process like MpExtMs.exe from loading DLLs that are not in the protected System32 directory. (D3FEND: D3-EAL - Executable Allowlisting)
Attack Surface Reduction: Harden endpoints by disabling or restricting commonly abused scripting languages and legacy features. Follow principles of least privilege for user accounts to limit an attacker's ability to move laterally after an initial compromise.
Endpoint Detection and Response (EDR): A modern EDR solution is essential for detecting the behavioral indicators of a stealthy backdoor like Mistic. Signature-based AV is unlikely to be effective.
Proactive Threat Hunting: Do not wait for alerts. Actively hunt for IAB TTPs in your environment, such as unusual persistence mechanisms, suspicious process chains, and connections to newly registered domains.

To detect the Mistic backdoor's core DLL side-loading technique, organizations must leverage an EDR solution with advanced process analysis capabilities. The key detection logic is to monitor for a legitimate, signed Microsoft executable (like MpExtMs.exe) being executed from an unusual file path (e.g., C:\ProgramData\, C:\Users\Public\) and subsequently loading a DLL from that same unusual path, rather than from a trusted system directory like C:\Windows\System32. This behavioral anomaly is a very high-fidelity indicator of a side-loading attack. The EDR rule should generate a high-priority alert, as this TTP is almost always malicious and is a hallmark of sophisticated actors like KongTuke.

New 'Mistic' Backdoor Used by Ransomware Access Broker KongTuke for Stealthy Infiltration