Initial access broker KongTuke, active since May 2024, began distributing Mistic in April 2026. The backdoor — also tracked as MTLBackdoor by Zscaler — executes payloads in memory without writing files to disk and masquerades under names that mimic Microsoft endpoint security components. Symantec and Zscaler have documented the operator selling access to six ransomware groups.
- Mistic has been operational since April 2026 as a backdoor for KongTuke/Woodgnat, an IAB active since May 2024
- Uses DLL sideloading via legitimate MpExtMs.exe and loads EndpointDlp.dll with Microsoft-like naming
- Executes in-memory payloads with a kill switch for self-deletion, reducing on-disk detection surface
- Zscaler confirms dynamic Beacon Object File (BOF) loading capability to expand post-exploitation functionality
- KongTuke sells access to six ransomware groups: Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta
The Infection Chain: From MpExtMs.exe to Phantom Execution
Mistic's mechanism unfolds in three stages visible in Symantec and GBHackers reports. Infection begins with the launch of the legitimate MpExtMs.exe executable, which sideloads a malicious DLL named version.dll. This second stage then executes EndpointDlp.dll, which constitutes Mistic's primary payload.
The chosen filename — EndpointDlp.dll — mirrors the naming convention of Microsoft endpoint protection tools. According to Symantec, "the backdoor executes payloads in memory without writing files to disk and includes a kill switch that allows it to delete itself." This architecture deprives analysts of traditional on-disk artifacts: no files to extract for static reverse engineering, no residue for hash-based detection.
Ransomware Groups in Line: Six Confirmed Customers
KongTuke monetizes access through an established brokerage model. BleepingComputer, SecurityWeek, and GBHackers converge on six ransomware groups purchasing access from the IAB: Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The multiplicity of customers has a specific side effect: the same target infrastructure can suffer multiple independent attacks, each with its own encryption and negotiation procedures.
The breadth of targeting reflects IAB logic. According to Broadcom researchers cited by SecurityWeek, "the targeting appears opportunistic: the attackers cast a wide net and assess which organizations they can sell, rather than focusing on a single sector." Four sectors are touched: insurance, education, IT, and professional services.
KongTuke's Toolkit: From ClickFix to Teams
KongTuke has built an ecosystem of complementary tools that precede or accompany Mistic. Social engineering techniques documented since 2025 include ClickFix, FileFix, and CrashFix — all variants that induce victims to execute code with elevated privileges. Starting in April 2026, the operator added Microsoft Teams as an initial contact vector, impersonating IT helpdesk to establish trust before payload delivery.
In at least one incident analyzed by Symantec, Mistic was deployed after ModeloRAT, another backdoor attributed to KongTuke. ModeloRAT travels in portable WinPython packages and executes via signed pythonw.exe, a pattern that exploits the legitimate signature to bypass application whitelisting controls.
"One of the most powerful features [of MTLBackdoor] is the ability to load Beacon Object Files (BOF) to expand its functionality" — Zscaler researchers (via BleepingComputer)
Immediate Actions
Defenses against Mistic require specific realignment on the techniques documented in this brief. Here are the concrete actions:
- Inspect MpExtMs.exe processes with anomalous loaded DLLs: verify the presence of version.dll or EndpointDlp.dll in non-standard paths, as the documented sideloading originates from this legitimate executable
- Enable in-memory logging and behavioral analytics telemetry: since Mistic writes no files to disk, detection shifts to injection patterns and anomalous C2 communications
- Monitor external Teams communications with helpdesk pretext: KongTuke began using this vector in April 2026; filter contacts from external domains requesting immediate action
- Cross-reference published IoC hashes from Symantec and Zscaler: the two primary sources provide specific indicators of compromise for Mistic/MTLBackdoor
- Review WinPython packages and pythonw.exe executions in enterprise environments: ModeloRAT, Mistic's predecessor in some chains, uses this execution pattern
Frequently Asked Questions
Is Mistic a vulnerability with a CVE or malware?
Mistic is a custom backdoor, not a software vulnerability. No associated CVE exists in the analyzed dossier. Distribution occurs via social engineering and sideloading techniques, not by exploiting flaws in legitimate application code.
Why do traditional EDRs struggle to detect Mistic?
In-memory execution eliminates the on-disk artifacts typical of forensic analysis. Microsoft-like names reduce true positives in anomaly searches. BOF capability further allows loading dynamic functionality without modifying the original backdoor file.
Are KongTuke and Woodgnat the same entity?
Symantec, SecurityWeek, and GBHackers reports treat KongTuke and Woodgnat as alternative names for the same initial access broker, active since May 2024 with overlapping techniques and infrastructure.
Context: Why IABs Are Winning the Access Race
KongTuke's model illustrates a structural trend in enterprise ransomware: the separation between those who obtain access and those who encrypt data. This division of labor reduces operational risk for both parties and accelerates monetization. The six confirmed KongTuke customers — Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta — represent diversification that makes the final payload unpredictable for victims.
Opportunistic targeting across four main sectors (insurance, education, IT, professional services) maximizes attack surface without requiring investment in targeted reconnaissance. For defenders, this means geographic or sectoral provenance is not a reliable indicator of risk exclusion.
Information is based on cited sources and current as of publication.
Sources
- https://www.bleepingcomputer.com/news/security/stealthy-mistic-backdoor-linked-to-ransomware-access-broker-kongtuke/
- https://www.securityweek.com/new-mistic-rat-opens-door-to-several-ransomware-families/
- https://gbhackers.com/modelorat-and-mistic-backdoor/
- https://cyberpress.org/woodgnat-fix-lure-malware/
- https://thehackernews.com/2026/06/dragonforce-hackers-abuse-microsoft.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-41940
- https://nvd.nist.gov/vuln
- https://nvd.nist.gov/vuln/search
- https://nvd.nist.gov/vuln/categories
- https://nvd.nist.gov/vuln/data-feeds
- https://nvd.nist.gov/vuln/vendor-comments