A newly discovered backdoor malware called MLTBackdoor is making waves in the cybersecurity community after being spotted in a carefully designed, multi-stage attack chain.
Identified in May 2026, this threat stands out for its advanced ability to hide from security tools while quietly establishing a deep foothold on infected machines.
The infection begins with something deceptively simple: a ClickFix lure hosted on an automotive-related web page. The moment a visitor copies, pastes, and runs the fake prompt, the full attack chain kicks into motion.
The victim unknowingly triggers a series of commands that downloads a compressed archive, decrypts a hidden payload, and ultimately installs the backdoor deep within their system.
Researchers at Zscaler ThreatLabz, who identified and analyzed the malware, noted that the threat is likely being used by a ransomware-related threat actor.
According Zscaler to a report shared with Cyber Security News (CSN), Zscaler said the malware is specifically designed to help attackers gain a strong foothold before moving further across a victim’s network.
What makes MLTBackdoor especially dangerous is the sheer depth of effort put into hiding it. Around 95% of its code consists of unnecessary math operations designed purely to confuse analysts.
On top of that, the malware uses a technique called control flow flattening, which turns simple functions into a jumbled maze that is extremely hard to follow or reverse-engineer.
The malware also comes equipped with a domain generation algorithm, or DGA, that creates a fresh command-and-control domain every single day.
This means even if security teams manage to shut down one domain, the malware can silently switch to a new one and carry on without any interruption.
MLTBackdoor’s Multi-Stage ClickFix Infection Chain
The infection chain is a well-choreographed sequence that starts the moment a user interacts with the ClickFix prompt.
The command that runs in the background silently creates a folder, downloads a disguised archive from a DGA-generated domain, and then uses a legitimate Microsoft Defender file called mpextms.exe to sideload the actual backdoor.
This trick of hiding behind a trusted system file helps the malware slip past basic security tools.
Inside the downloaded archive are two files: data.bin and endpointdlp.dll. The DLL decrypts the RC4-encrypted data.bin file and unveils the second-stage payload, which is MLTBackdoor itself.
After installation, the malware performs a self-update and reuses the endpointdlp.dll filename, adding another layer of disguise on the infected machine.
Once active, MLTBackdoor communicates over port 443 using a custom encrypted binary protocol, disguising its traffic to look like routine system activity.
.webp)
It uses a Microsoft-style user-agent string and a fixed API path to blend in, making it far harder for network monitoring tools to flag any connection as suspicious.
Evasion Techniques and Expanding Capabilities
MLTBackdoor runs a total of ten separate environment checks before it does anything meaningful. It scans for virtual machines, debuggers, specific analysis tools, and sandbox drivers.
It even checks whether the system RAM is below two gigabytes or the number of processors is just one. All these checks feed into a bitmask that gets quietly sent to the attacker’s server during the first check-in, giving the operator a full picture of the target environment.
Beyond hiding, the malware also comes with a functional set of built-in commands. It can download and upload files, list directories, and delete, rename, or create folders.
But its most powerful feature is a Beacon Object File loader that lets attackers push custom code modules directly into the malware’s memory. This means its capabilities can be expanded at any time without ever writing files to disk, making detection even harder.
Security teams are strongly advised to block all known indicators of compromise and monitor for unusual use of legitimate Microsoft binaries.
Organizations should keep threat detection rules updated for ClickFix-style social engineering attacks and watch for suspicious outbound connections on port 443 that carry uncommon user-agent strings, as these can be early signs of an active MLTBackdoor infection.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984 | Stage one loader |
| SHA256 | 46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93 | Archive with stage one loader and encrypted MLTBackdoor |
| SHA256 | 9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66 | MLTBackdoor with domains and DGA |
| SHA256 | ced6b0f44410f6133ad63b61e04613a8b56cc3338d7b34497540e9541163e7ec | MLTBackdoor DGA only |
| SHA256 | 1d09357b6a096fdc35cd5c873eed15665d6b3c879d20c8cf01e6bca0005512cf | MLTBackdoor DGA only |
| SHA256 | 2cd88d5280a61714836f5f07a16df190911c5b952af2998dbbcda910b3b1c494 | MLTBackdoor domains only |
| SHA256 | d34e4038c5c80728f9648ba84833f69bc1ccea82e2e8e748b7b7f02fb687b92b | MLTBackdoor update sideload archive |
| Domain | hrs2y15sungu[.]com | DGA domain also used in the distribution campaign |
| Domain | carrolc[.]com | MLTBackdoor C2 |
| Domain | cwrtwright[.]com | MLTBackdoor C2 |
| Domain | thomphon[.]com | MLTBackdoor C2 |
| URL | powwowski[.]com/payloads/update.zip | MLTBackdoor update URL |
| File Name | endpointdlp.dll | Malicious DLL used to decrypt and sideload MLTBackdoor |
| File Name | data.bin | RC4-encrypted MLTBackdoor second-stage payload |
| File Name | mpextms.exe | Legitimate Microsoft Defender binary abused for DLL sideloading |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
