“The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access,” the Symantec researchers say.
How Mistic is deployed and what it looks like on hosts
Symantec’s analysis of recent intrusions shows a repeatable infection pattern: actors launch a legitimate executable, MpExtMs.exe, to side-load a malicious DLL named version.dll. That DLL acts as the loader for Mistic — identified in the reports as EndpointDlp.dll. A separate .NET DLL is also loaded in the chain; that component presents a fake login screen to harvest user credentials. The filename choices — designed to resemble Microsoft endpoint security tooling — appear intended to help the components blend with trusted software on infected hosts.
Capabilities tied to long-term stealth and persistence
Once EndpointDlp.dll is resident, Mistic connects to command-and-control infrastructure and accepts remote instructions. Symantec enumerates its capabilities: file upload, download, move, rename and delete; folder creation; modifying the polling interval for C2 checks; executing code received from the C2 directly in memory; and terminating itself and deleting files. The in-memory execution model and an included kill switch are the features Symantec highlights as consistent with an operator focused on “long-term, low-visibility access.”
Modularity: BOFs and in-memory expansion, per Zscaler
Cloud security firm Zscaler, tracking the same malware family as MTLBackdoor, reported that Mistic was observed as a payload inside a multi-stage ClickFix infection chain in May. Zscaler called out one of MTLBackdoor’s most powerful features: the ability to load Beacon Object Files (BOFs) to expand its functionality. The reports explain BOFs are small C programs that execute directly in the memory of a C2 process, leaving no disk footprint; they are commonly used in red team tools such as Cobalt Strike for post-exploitation tasks.
Link to KongTuke/Woodgnat and the ransomware access market
Symantec links Mistic to KongTuke/Woodgnat, an initial access broker active since at least 2024. That broker specializes in compromising corporate networks and selling access to ransomware operators; Symantec names Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta as recipient groups. In at least one incident, Mistic was deployed shortly after ModeloRAT — a backdoor attributed to KongTuke and known to be delivered via social engineering over Microsoft Teams. Symantec also notes KongTuke’s broader toolset: legitimate WinPython and Node.js runtimes to execute malicious code, finger.exe to retrieve obfuscated payloads, a fake NexShield browser extension, an encrypted GateKeeper .NET payload, and loaders such as MintsLoader and D3F@ck Loader. KongTuke’s delivery methods have included ClickFix and its variants FileFix and CrashFix since early 2025, according to Symantec.
Timeline, targets, and available indicators
Symantec reports Mistic has been used in financially motivated intrusions since April, and Zscaler observed it in May as part of a ClickFix chain. The attacks documented in the reports target organizations in four named sectors: insurance, education, information technology, and professional services. Both Symantec and Zscaler include indicators of compromise tied to Mistic/MTLBackdoor and emphasize the malware’s stealth and extensibility.
What this means for technologists, affected enterprises, and procurement leaders
- Technologists and security teams: Monitor for the specific side‑load pattern (MpExtMs.exe loading version.dll/EndpointDlp.dll) and the presence of an anomalous .NET login UI. Review detections and the indicators of compromise published by Symantec and Zscaler for hunting and incident response.
- Affected enterprises in insurance, education, IT, and professional services: Be aware that these sectors are appearing as targets in the incidents analyzed and that deployments may follow other delivered backdoors such as ModeloRAT, including via Microsoft Teams social engineering.
- Procurement and platform owners: Note that KongTuke has reused legitimate runtimes (WinPython, Node.js) and multiple loaders and extensions in past campaigns, underscoring the value of scrutinizing how third-party or seemingly benign tooling is permitted to execute in corporate environments.
Symantec and Zscaler describe Mistic/MTLBackdoor as a purpose-built, stealthy backdoor that can be expanded in memory and that fits a pattern of initial access brokers developing custom post‑access tooling. The two vendors publish indicators for defenders; whether KongTuke adapts the chain, reuses Mistic in broader campaigns, or hands this capability to downstream ransomware operators are questions left open by the observable timeline and tooling overlap.
