Security researchers have uncovered a new piece of malware called the Mistic backdoor, and it is built for one purpose: to stay hidden for as long as possible. First spotted in active attacks in April 2026, Mistic has been deployed against organizations in insurance, education, IT, and professional services. Researchers believe it is the latest tool from KongTuke, a criminal operation that breaks into corporate networks and sells that access to ransomware groups.
Who Is KongTuke?
To understand why Mistic matters, it helps to understand the operation behind it. KongTuke, also tracked as Woodgnat, is what security researchers call an initial access broker (IAB). The group does not run ransomware itself. Instead, it specializes in compromising corporate networks and then selling that access to ransomware gangs for a fee.
KongTuke has been active since at least May 2024. Over that time, it has supplied access to some of the most prolific ransomware operations around, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. In one documented case, researchers observed KongTuke’s earlier tool, ModeloRAT, being used in attacks that ultimately delivered Qilin ransomware to the target.
The group is not selective about victims. Its targeting is opportunistic. KongTuke casts a wide net, compromises as many organizations as it can, and then evaluates which ones represent the most valuable access to sell.
What Makes Mistic Different
Previous KongTuke activity relied on ModeloRAT, a Python-based remote access trojan. Mistic is something new. Researchers at Symantec describe it as a purpose-built backdoor designed for long-term, low-visibility access. Zscaler, which tracks the same malware under the name MTLBackdoor, independently confirmed its existence after observing it delivered through a ClickFix infection chain in May.
The design choices baked into Mistic are deliberate. It runs all payloads directly in memory, meaning nothing is written to the victim’s disk. This makes it significantly harder for security tools to detect. It also includes a kill switch that lets it delete itself and clean up any trace of its presence on demand.
According to Symantec researchers, these features point to an operator focused on staying inside a network for as long as possible without triggering alarms. The backdoor communicates with command-and-control (C2) servers and accepts a range of commands: moving, renaming, uploading, or deleting files; executing code in memory; adjusting how frequently it checks in with its operators; and terminating itself entirely when needed.
How the Infection Unfolds
The Mistic backdoor does not announce itself. In the attacks Symantec analyzed, infection begins with a legitimate Windows executable called MpExtMs.exe. Attackers abuse a technique called DLL side-loading, where a trusted program is manipulated into loading a malicious file alongside it. In this case, a malicious DLL named version.dll gets loaded, which then drops the actual backdoor, EndpointDlp.dll.
That filename is not accidental. It mimics the naming conventions used by real Microsoft endpoint security software, helping the backdoor blend in with legitimate processes on the host. A separate .NET component also runs a fake login screen to steal the victim’s credentials during the infection.
In at least one confirmed incident, Mistic was deployed right after ModeloRAT, suggesting it functions as a follow-on tool once KongTuke has already established a foothold through its earlier access methods.
The ClickFix Connection
KongTuke has long relied on social engineering to get its malware onto victim machines. Its preferred method is ClickFix, a technique where users are presented with a fake error message or CAPTCHA prompt and tricked into pasting a malicious command into their Windows Run dialog. The group has used variations of this technique since early 2025, including FileFix and CrashFix, which put different spins on the same fundamental deception.
Zscaler traced one Mistic delivery to exactly this kind of multi-stage ClickFix chain. The infection began on an automotive-themed webpage and pulled a disguised payload from a domain generated automatically, before installing the backdoor through the same DLL side-loading method Symantec observed.
A Tool Designed for Professionals
One capability that stands out in Zscaler’s analysis is Mistic’s ability to load Beacon Object Files, or BOFs. These are small programs written in C that execute directly inside the memory of a C2 process. Because they never touch the disk, they leave no forensic trail and evade most endpoint detection tools.
BOFs are most commonly associated with red team tools like Cobalt Strike, which security professionals use to simulate real attacks. Seeing them in criminal malware signals a level of technical sophistication that is not always present in ransomware-adjacent tooling.
What This Signals for the Threat Landscape
Both Symantec and Zscaler frame Mistic as part of a broader shift in how ransomware operations work. Criminal groups are moving away from relying solely on built-in Windows tools or off-the-shelf malware. Instead, they are investing in custom-built tooling designed for stealth and durability.
For defenders, the practical concern is straightforward. Mistic is built to sit quietly inside a network, avoid detection, and give attackers time to assess what they have and who might pay to exploit it. By the time ransomware arrives, KongTuke has often been inside the environment for an extended period.
Organizations should watch for unexpected loading of DLLs named EndpointDlp.dll by MpExtMs.exe, anomalous in-memory execution, and suspicious use of portable Python environments under application data directories. Both Symantec and Zscaler have published indicators of compromise that security teams can use to check for signs of infection.
Final Thoughts
The Mistic backdoor is a reminder that ransomware attacks rarely begin with ransomware. The real entry point is often an access broker operating silently in the background, weeks or months before any encryption begins. KongTuke has built a business around that gap, and Mistic is its newest investment in staying undetected long enough to make the sale.
For organizations in the sectors being targeted, the risk is not just a data breach or a ransom demand. It is the possibility that an attacker has already been inside the network, watching and waiting, long before any alarm goes off.