Home/ Blog/ Security news/ Article
Blog · Security news

Mistic backdoor writes nothing to disk and quietly sells your network to ransomware crews

Mistic is an in-memory backdoor that access broker KongTuke uses to hold footholds and sell them to Qilin and other ransomware crews. Here is where to catch it.

Lone open doorway in an empty hall with light spilling onto the floor
By Noam Alum · ·Security news · 5 min read Mitigate now

The ransomware incident you read about next quarter is being staged right now, and it does not look like ransomware. It looks like one process checking in for instructions, days or weeks before anyone touches a single file. A backdoor that researchers at Symantec and Carbon Black track as Mistic is built for exactly that stage: get in, stay invisible, and hold the door open until someone pays for the keys. It has run in financially motivated intrusions since April 2026 against firms in professional services, IT, education, and insurance.

The malware is not the interesting part. Who runs it, and why, is.

Mistic is an access broker's tool, not a ransomware crew's

Mistic belongs to KongTuke, an initial access broker that researchers also track as Woodgnat and that has been active since at least 2024. A broker does not encrypt anything. It breaks in, establishes durable access, and sells that access to whoever wants it. Symantec ties KongTuke's footholds to a long list of ransomware affiliates: Akira, Qilin, Black Basta, Rhysida, 8Base, and Interlock. The same intrusion can end as any of those brands depending on who buys.

That changes where the defensive value sits. If you wait to recognize the ransomware, you are reacting to the buyer. The seller was inside for weeks first, and the seller used Mistic. Treating the broker stage as the event you are hunting, rather than the encryption that follows, is the single most useful reframe here. It is also the only stage where you still have options that do not involve a recovery plan.

What the backdoor does, and what it deliberately does not

Mistic runs its payloads in memory and writes nothing to disk. It carries a kill switch and a self-delete routine, so an operator who senses attention can pull the implant and leave little behind. Its built-in feature set is small on purpose: file upload, download, move and delete, folder creation, an adjustable check-in interval, and in-memory code execution. Everything heavier loads on demand through small object-file modules the operator pushes only when needed.

That last detail matters more than it looks. The implant's real capability is not fixed at the moment it lands, so a signature built from one victim's sample tells you little about the next one. The durable thing to detect is how Mistic arrives and where it hides, not what it can do on any given day. On disk it has been seen sideloaded through the legitimate-looking MpExtMs.exe, which loads a malicious version.dll that in turn drops the loader as EndpointDlp.dll. Zscaler documented the same family under the name MLTBackdoor, delivered through multi-stage chains in May 2026, frequently alongside ModeloRAT, a Python remote-access tool that KongTuke spreads through Microsoft Teams social engineering.

The front door is a conversation, not an attachment

Mistic and its companions arrive through ClickFix, the social-engineering pattern where a page fakes a browser error or a verification step and tells the visitor to paste and run a command to fix it. One reported variant ships as a fake ad-blocker extension that crashes the browser on purpose, then offers the user a helpful fix that is actually the first stage of the attack.

This is a different detection problem than the macro-laden document era trained most teams to watch for. The question is no longer only what file someone opened. It is what a person was talked into typing. We covered this shift in detail when ClickFix became shared attack infrastructure rather than one group's lure, and Mistic is a clean example of why the telemetry gap is expensive: the clipboard-to-Run-dialog path is rarely instrumented, yet it is now a primary way in. The Teams angle on ModeloRAT rhymes with how attackers fold malicious traffic into trusted collaboration tools, where a network sensor sees a normal call.

Why endpoint tooling sees a clean machine

Three design choices make Mistic quiet for file-based defenses at once. It executes in memory, so there is no malicious file on disk to scan. It sideloads through a process name that reads as a security component, so the parent looks benign at a glance. And it expands through loadable modules, so the static sample is thin. None of this is novel on its own. Together it means an antivirus product looking for known-bad files will report nothing wrong on a fully compromised host.

There is a quieter cost too. This one family already answers to Mistic, MLTBackdoor, and an access broker that goes by KongTuke and Woodgnat, while the broker's wider toolset carries still more aliases across vendors. Six names for two things is not pedantry. It slows the correlation work a defender does when a single indicator surfaces, because the analyst has to first prove that the vendor blog they are reading and the alert in their console describe the same actor. Brokers benefit from that fog. The same access-as-a-service economy is what kept stolen credentials usable even after a takedown of the malware that harvested them, and it is why disrupting one tool rarely disrupts the business behind it, as the SocGholish takedown showed.

Where to actually catch this

Patching does not apply here, because there is no single bug to fix. Detection is the whole game, and it has to be behavioral. Practical places to look:

  • The paste-and-run path. Watch for command interpreters and script hosts launched as children of a browser, and for clipboard content flowing into the Run dialog. This is the ClickFix signature, and it is product-agnostic.

  • Suspicious DLL sideloading. Alert when a version.dll or similarly named library loads from a non-system path next to an otherwise trusted binary, especially one masquerading as a security tool.

  • Check-ins with a moving interval. Mistic's check-in cadence is adjustable, so do not anchor on a fixed period. Look instead for long-lived, low-volume, regular outbound connections from hosts that should not be initiating them, including DNS-based staging traffic.

  • Teams-borne lures. Treat unexpected Microsoft Teams messages that push a download or a fix-it step as phishing, and give that surface the same scrutiny as inbound email.

If you run an environment built on open detection tooling, this is the kind of activity that behavioral rules and process-lineage analysis are meant to surface, which is part of why we built on Wazuh rather than chasing file hashes.

The takeaway is not that a new backdoor exists. New backdoors arrive every week. It is that the people most likely to ransom you are not in your network yet. Their supplier is, running something like Mistic, waiting for a buyer. The broker stage is your last clean shot. Spend your detection budget there.

Topics
RansomwareMalware & C2

Frequently asked questions

What is the Mistic backdoor?

Mistic is a stealthy in-memory backdoor first reported by Symantec and Carbon Black in 2026. It runs payloads without writing files to disk, carries a kill switch, and loads extra capability on demand. The access broker KongTuke uses it to keep long-term footholds inside victim networks.

Who is behind Mistic and what do they want?

Mistic belongs to KongTuke, an initial access broker also tracked as Woodgnat, active since at least 2024. The group does not run ransomware itself. It sells the access it builds to ransomware affiliates such as Akira, Qilin, Black Basta, Rhysida, 8Base and Interlock.

How does Mistic get onto a machine?

Mistic arrives through ClickFix, a social-engineering trick where a fake browser error or fix-it prompt convinces the user to paste and run a command. One variant uses a fake ad-blocker extension. A companion tool, ModeloRAT, spreads through Microsoft Teams messages.

Why do antivirus tools miss Mistic?

Mistic executes in memory, so there is no malicious file on disk to scan. It sideloads through a library named to look like a security component, and it expands through loadable modules rather than a fixed payload. File-signature scanning sees a clean host while the machine is fully compromised.

How do you detect Mistic without a patch?

Detection is behavioral. Watch for script hosts spawned by a browser and clipboard content reaching the Run dialog, for a rogue version.dll sideloaded next to a trusted binary, and for low-volume regular outbound connections with a changing interval, including DNS-based staging traffic.

Keep reading
Security news

A rigged 7-Zip archive can erase the Windows warning on downloaded files, and there is no fix yet

A crafted RAR5 archive lets 7-Zip 26.02 strip the Mark-of-the-Web, defeating Windows SmartScreen warnings. No patch exists yet. Here is what defenders should

Noam Alum · Jun 28, 2026
Security news

Signal's recovery key never expires, and Russian intelligence is now phishing for it

Russian intelligence is phishing Signal users for the Backup Recovery Key, a secret that decrypts a whole message history and that no reset or new account can

Suriq's Jack · Jun 27, 2026
Security news

Polymarket's servers were never hacked. A poisoned vendor script still stole $3 million from users.

A compromised third-party vendor injected malicious code into Polymarket's site and stole nearly $3 million from users. The backend was never breached.

Noam Alum · Jun 27, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Get Access Meet the clan