A newly identified Windows backdoor called Mistic has been quietly making its way through enterprise networks since April 2026, giving attackers persistent, low-profile access that is extremely difficult to detect.
The malware has been spotted targeting organizations across the insurance, education, information technology, and professional services sectors, with attackers showing opportunistic behavior rather than focusing on a single industry.
Mistic stands out from many other backdoors because of how effectively it hides its tracks. It executes payloads entirely within memory, meaning no malicious file is ever written to the hard drive.
This approach bypasses a large number of traditional detection tools that rely on scanning files stored on disk.
Analysts at PolySwarm flagged this threat and noted it may represent an evolution in the tooling used by access brokers, specifically those who break into corporate networks and then sell that foothold to ransomware groups.
The malware has been observed operating alongside ModeloRAT, a Python-based remote access trojan previously linked to the financially motivated group tracked as Woodgnat, also known publicly as KongTuke.
According to PolySwarm and Symantec’s Threat Hunter Team report shared with Cyber Security News (CSN), Mistic was deployed in intrusions where attackers used social engineering lures, including fake browser crashes and fake CAPTCHA tests, to trick victims into executing attacker-supplied PowerShell commands.
These techniques are consistent with Woodgnat’s known delivery methods. The combination of in-memory execution, a built-in kill switch, and a deliberate resemblance to legitimate Microsoft security components makes Mistic one of the more sophisticated backdoors seen in recent cybercrime campaigns.
Security researchers have noted that Woodgnat appears capable of developing increasingly advanced tools as it expands its network of ransomware partners.
New Windows Backdoor Mistic
The Mistic backdoor reaches its target through a method called DLL sideloading, where a legitimate Microsoft executable named MpExtMs.exe is manipulated into loading a malicious file instead of the expected one.
The malicious DLL is named EndpointDlp.dll, borrowing the name from a genuine Microsoft endpoint security component, helping it blend seamlessly into trusted software environments.
Once active, Mistic connects to an attacker-controlled command-and-control server and waits for instructions.
It can upload and download files, create and delete folders, move or rename data, and most importantly, execute operator-supplied code directly in memory without touching the disk.
A separate credential-stealing component, delivered as a .NET DLL, was also observed alongside Mistic, presenting victims with a fake login screen to harvest their usernames and passwords.
The malware also carries a kill switch that allows the operator to fully remove it from a compromised system on command, significantly reducing forensic evidence and complicating post-incident investigations.
Additional tools seen in the same attack chains included PowerShell, certutil, WMIC, and curl.exe, all legitimate Windows utilities repurposed for malicious activity.
Woodgnat’s Access Broker Operations
Mistic is believed to be connected to Woodgnat, a financially motivated cybercrime group active since at least May 2024.
The group primarily operates as an initial access broker, meaning its goal is not to deploy ransomware itself, but to establish long-term access within enterprise environments and sell that access to ransomware affiliates.
Woodgnat has been publicly linked to groups including Qilin, Akira, Rhysida, Black Basta, Interlock, and 8Base.
The group typically gains a foothold by compromising WordPress websites through vulnerable plugins or stolen credentials, then injecting JavaScript that serves social engineering lures to visitors.
Over time, Woodgnat has refined these lures, shifting from ClickFix fake error pages to FileFix and then CrashFix techniques, all designed to push victims into pasting and running attacker-supplied commands.
Since April 2026, the group has also been observed using fake Microsoft Teams helpdesk chats to walk employees through these sequences.
Security researchers recommend that organizations monitor closely for unusual DLL sideloading activity, especially when legitimate Microsoft executables load unexpected files.
Defenders should also watch for abnormal use of built-in tools like curl.exe, certutil, and PowerShell, and prioritize behavioral detection and memory-focused analysis over traditional signature-based controls to counter threats like Mistic effectively.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984 | Backdoor.Mistic — endpointdlp.dll |
| SHA-256 | 34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc | Fake lock screen — f.dll |
| SHA-256 | 3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be | Backdoor.Mistic — aeff97fe.msi |
| SHA-256 | 59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712 | Loader for backdoor — version.dll |
| SHA-256 | 8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235 | Likely privilege escalation — n.dll |
| SHA-256 | afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c | Backdoor.Mistic — endpointdlp.dll |
| SHA-256 | db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5 | Backdoor.Mistic — endpointdlp.dll |
| SHA-256 | f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e | Backdoor.Mistic — 48b47c0.msi |
| SHA-256 | fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a | Backdoor.Mistic — endpointdlp.dll |
| IP Address | 142.93.242.144 | C2 network indicator |
| IP Address | 144.31.53.78 | C2 network indicator |
| IP Address | 198.13.159.44 | C2 network indicator |
| IP Address | 199.91.221.42 | C2 network indicator |
| Domain | authorized-logins.net | C2 domain |
| Domain | b6w9m2z5x8q1v3k.top | C2 domain |
| Domain | carrolc.com | C2 domain |
| Domain | cj06y9v4xab.com | C2 domain |
| Domain | cwrtwright.com | C2 domain |
| Domain | defs.updater-worelos.com | C2 domain |
| Domain | ftps.upd-domain-goloro.com | C2 domain |
| Domain | grande-luna.top | C2 domain |
| Domain | human-check.top | C2 domain |
| Domain | mail.authorized-logins.net | C2 domain |
| Domain | mailes.upd-domain-goloro.com | C2 domain |
| Domain | mails.updater-worelos.com | C2 domain |
| Domain | mueleer.com | C2 domain |
| Domain | nano.upscale-kolo.com | C2 domain |
| Domain | oeannon.com | C2 domain |
| Domain | php.authorized-logins.net | C2 domain |
| Domain | rotoa-upda-lo.com | C2 domain |
| Domain | sql-updater-service.com | C2 domain |
| Domain | sss.authorized-logins.net | C2 domain |
| Domain | thomphon.com | C2 domain |
| Domain | upd-domain-goloro.com | C2 domain |
| Domain | update.update-fall.com | C2 domain |
| Domain | updater-worelos.com | C2 domain |
| Domain | upscale-kolo.com | C2 domain |
| Domain | w3xasv14culvnqj.top | C2 domain |
| URL | hxxp://thomphon[.]com/update.msi | Malware delivery URL |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
