Researchers connect self-deleting Mistic backdoor to possible access-broker activity

Security researchers say a newly identified backdoor known as Mistic, or MLTBackdoor, has been used in intrusions since April and may be tied to a criminal access-broker operation that sells entry poi...

Security researchers say a newly identified backdoor known as Mistic, or MLTBackdoor, has been used in intrusions since April and may be tied to a criminal access-broker operation that sells entry points into corporate networks to ransomware crews.

The malware was first described earlier this month by Zscaler, which suggested it was likely intended to help attackers establish a foothold before moving laterally inside victim environments. In a threat briefing released Wednesday, Symantec and Carbon Black said they have seen Mistic used against organizations in the insurance, education, IT, and professional services sectors over the past few months.

The researchers said their assessment is low confidence, but they believe Mistic may be associated with the financially motivated group they track as KongTuke, also known as Woodgnat. That cluster has previously been linked to initial access operations and to the ModeloRAT remote access trojan, a tool that has also appeared in incidents involving ransomware deployment.

According to the report, one case showed Mistic operating in close proximity to ModeloRAT, and Zscaler observed the backdoor being delivered through a multi-stage ClickFix infection chain. Both details point toward the same broader activity set, the researchers said.

What the backdoor can do

  • Upload, download, move, rename, and delete files
  • Create new directories
  • Check in with attacker-controlled command-and-control servers
  • Run payloads directly in memory rather than writing them to disk
  • Delete itself after use

That in-memory execution is notable because it can reduce the chances of detection by traditional antivirus and endpoint security tools. In one incident handled by the researchers, the malware was side-loaded through a legitimate executable and loaded from a DLL, a technique that can help hide malicious activity inside trusted software processes.

Security teams say the combination of stealth features and a built-in self-destruct function makes Mistic especially useful for short-lived, hard-to-detect access. In practice, that kind of capability can give attackers enough time to establish control, pass access to another group, and then remove evidence of the initial compromise.