Mistic Backdoor: New Stealth Malware Linked to KongTuke Access Broker

Symantec researchers have uncovered a new stealthy backdoor dubbed "Mistic" being deployed by KongTuke (also tracked as Woodgnat), a financially motivated initial access broker active since at least 2024. The malware has been observed in attacks targeting organizations in the insurance, education, IT, and professional services sectors since April, with KongTuke known for selling compromised network access to major ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

The Mistic attack chain leverages DLL side-loading through the legitimate Windows executable MpExtMs.exe, which loads a malicious version.dll that in turn deploys the Mistic payload (EndpointDlp.exe). The filename was deliberately chosen to mimic Microsoft endpoint security tooling, helping the backdoor blend in with trusted software on the host. A separate .NET DLL is also loaded that displays a fake login screen designed to harvest user credentials—an exposure organizations and individuals can monitor using an email breach checker. Once active, Mistic communicates with command-and-control infrastructure and supports file upload/download, file manipulation, in-memory code execution, and a kill switch that allows it to self-delete and erase forensic artifacts.

According to Symantec, Mistic was designed for long-term, low-visibility persistence—payloads run entirely in memory with no files written to disk. In at least one incident, Mistic was deployed shortly after ModeloRAT, another KongTuke backdoor distributed via social engineering lures on Microsoft Teams. Zscaler, tracking the same malware as "MTLBackdoor," confirms ClickFix and its FileFix/CrashFix variants remain KongTuke's primary infection vector, with Mistic loaded as a multi-stage payload capable of executing Beacon Object Files (BOFs) directly within the C2 process memory.

The disclosure highlights the growing sophistication of access broker operations and reinforces the importance of monitoring outbound traffic patterns. Defenders can audit their network exposure with a port scanner and investigate suspicious C2 domains through a WHOIS lookup to identify infrastructure overlaps with known KongTuke activity.