The Python-based remote access trojan ModeloRAT and a newly observed stealth backdoor, dubbed Backdoor.Mistic, to activity consistent with an initial access broker (IAB) operation that facilitates ransomware deployments.
Mistic first seen in April 2026 and publicized by Zscaler as MLTBackdoor access appears optimized for long-term, low-visibility access and was discovered deployed in at least one intrusion alongside ModeloRAT, strengthening ties between these tools and financially motivated access-sellers tracked as Woodgnat (aka KongTuke).
Backdoor.Mistic demonstrates deliberate design choices for stealth and persistence. It is sideloaded through a legitimate executable, MpExtMs.exe, which loads a malicious DLL named EndpointDlp.dll an innocuous-sounding name that mimics Microsoft endpoint-security components.
A loader hooks GetModuleFileNameW and LoadLibraryW to ensure the legitimate binary path is used while forcing the process to load the malicious DLL.
The backdoor executes payloads directly in memory, leaving no files on disk, and includes a kill switch allowing the operator to self-delete features that prioritize long-term covert access and complicate forensic detection.
Functionally, Mistic supports standard backdoor tasks: file upload/download, file and folder manipulation, schedule and frequency adjustments for its command checks, and in-memory execution of C2-delivered code.
Targeting has been opportunistic; compromised organizations span insurance, education, IT and professional services, suggesting the operator’s objective is to establish saleable enterprise access rather than focus on a particular industry vertical.
ModeloRAT continues to be a hallmark of Woodgnat activity. Delivered commonly within a portable WinPython package and run via signed pythonw.exe, ModeloRAT uses RC4-encrypted C2 communications and multi-path resiliency with independent C2 infrastructure.
Symantec’s Threat Hunter Team observed ModeloRAT used in attacks that culminated in Qilin ransomware deployment, linking the RAT to final-stage ransomware activity.
Public reporting also attributes Woodgnat to facilitating access for multiple ransomware families including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta.
ModeloRAT and Mistic Backdoor Activity
The intrusion chain observed by Symantec combined multiple stages and tools: a .NET credential stealer with a fake login prompt, living-off-the-land utilities such as curl, reg.exe, net.exe, certutil, WMIC and PowerShell for reconnaissance, lateral movement and payload staging, and loaders like WinPython and Node.exe to host ModeloRAT and other scripts.
Zscaler additionally reported Mistic deliveries via Woodgnat-style social-engineering campaigns ClickFix, FileFix and CrashFix lures that trick victims into executing attacker-supplied PowerShell commands.
More recently, Woodgnat has used Microsoft Teams helpdesk pretexts to coerce victims into “paste-and-run” commands, achieving persistent access within minutes.
Operational tradecraft shows emphasis on evasion: signed carriers, in-memory execution, kill switches, credential theft, extensive host profiling, redundant persistence entries masquerading as legitimate remote-access software, and adaptive C2 mechanisms including domain generation for non-domain hosts.
This combination of capabilities and behavior is consistent with an IAB model that prioritizes durable, stealthy enterprise footholds to monetize access to ransomware affiliates.
For defenders, indicators of compromise to prioritize include unexpected loading of EndpointDlp.dll or similarly named DLLs by MpExtMs.exe, anomalous in-memory execution activities, Run-key persistence entries named after remote-support tools, and evidence of WinPython or signed pythonw.exe running unknown scripts.
Tracking Woodgnat-linked infrastructure and the evolution of ModeloRAT and Mistic will be critical as this access-broker model continues to fuel ransomware operations.
Indicators of Compromise (IOCs)
| SHA256 | Description | Filename |
|---|---|---|
| 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984 | Backdoor.Mistic | endpointdlp.dll |
| 34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc | Fake lock screen | f.dll |
| 3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be | Backdoor.Mistic | aeff97fe.msi |
| 59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712 | Loader for backdoor | version.dll |
| 8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235 | Likely privilege escalation | n.dll |
| afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c | Backdoor.Mistic | endpointdlp.dll |
| db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5 | Backdoor.Mistic | endpointdlp.dll |
| f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e | Backdoor.Mistic | 48b47c0.msi |
| fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a | Backdoor.Mistic | endpointdlp.dll |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
