"The fact that Mistic executes in memory and also has a kill switch built in means that it is very stealthy, potentially allowing for long-term, stealthy access for attackers," the threat hunters wrote.
Mistic: a backdoor that erases its tracks
First observed in intrusions since April, Mistic (also tracked as MLTBackdoor) is a novel backdoor that combines routine remote-access capabilities with an uncommon self-destruct capability. Symantec and Carbon Black threat hunters report that Mistic can upload, download, move, rename, and delete files; create folders; and poll an attacker-controlled command-and-control (C2) server for further instructions. Crucially, the backdoor can execute remote payloads directly in memory so it does not drop files to disk, and it contains a built-in termination mechanism that deletes itself when operators choose to remove evidence of the intrusion.
Delivery techniques: ClickFix, DLL side‑loading, and blending with legitimate binaries
Researchers link Mistic to multi-stage delivery methods. Zscaler documented Mistic being delivered in a ClickFix infection chain earlier this month, and Symantec and Carbon Black describe a case where Mistic was side-loaded through a legitimate file named MpExtMs.exe and loaded from a DLL called EndpointDlp.dll. The use of a legitimate executable and a DLL with a plausible name likely helped the backdoor blend in with sanctioned software and evade basic file-analysis heuristics.
Possible link to an initial access broker: KongTuke (Woodgnat) and ModeloRAT
Symantec and Carbon Black say Mistic "may be linked to the financially motivated initial access broker (IAB) tracked publicly as KongTuke (which we track as Woodgnat)" and note at least one intrusion where Mistic was deployed in close proximity to ModeloRAT, a Python-based remote access trojan developed by the same group. The researchers characterize this attribution as low-confidence, citing a sequence in which Mistic and ModeloRAT appeared in the same incident. Zscaler’s observation that Mistic was delivered via ClickFix aligns with known KongTuke techniques, adding another pointer toward the IAB.
How the access broker market factors in: sellers and buyers of footholds
Symantec and Carbon Black note a crucial operational role played by initial access brokers: "KongTuke and other IABs don’t deliver the final payload – such as ransomware – to compromised companies. Rather, they break into company systems, and then sell that foothold to other criminals, like ransomware gangs." Public reporting ties KongTuke to ransomware crews including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The researchers add that their Threat Hunter Team has separately observed ModeloRAT used in attacks that deployed Qilin ransomware, further connecting the tooling observed around Mistic to real-world ransomware incidents.
Observed targets and sectors
Symantec and Carbon Black report that Mistic has been used to access multiple organizations over the past few months, with victims spanning insurance, education, IT, and professional services. Those sectoral details suggest the tool is being employed broadly rather than against a narrow or unique target class.
What this means for security teams, insurers, and affected enterprises
- Security teams: Expect stealthy in-memory execution and self-deleting behavior to complicate file-based detection and forensic recovery. Investigations that rely on disk artifacts may miss operations that ran only in memory or were purged by Mistic’s kill switch.
- Insurers and risk assessors: The involvement of initial access brokers who sell footholds to ransomware operators underscores that compromises can be commodified; associating a breach with a downstream ransomware deployment may require tracing multiple actors and toolchains, including Mistic and ModeloRAT.
- Affected enterprises (insurance, education, IT, professional services): The combination of DLL side-loading through MpExtMs.exe and loading from EndpointDlp.dll shows attackers’ willingness to hide in legitimate binaries — detection programs and incident response playbooks should account for side-loaded components and anomalous in-memory payloads.
Self-deleting, in-memory backdoors like Mistic sharpen a painful truth: intrusion economics and modular tooling allow one criminal group to gain a stealthy foothold and another to weaponize it. The record Symantec, Carbon Black, and Zscaler lay out ties Mistic to common IAB techniques and to existing RATs such as ModeloRAT, but the researchers flag their own attribution as cautious. For defenders, the actionable detail is plain — look for the delivery chains (ClickFix), watch for DLL side-loading of benign-sounding binaries (MpExtMs.exe, EndpointDlp.dll), and prioritize memory-resident detection and live-response capability to counter tools that erase themselves when the mission is done.
