"The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access," Broadcom's cybersecurity teams said in a report shared with The Hacker News.
Mistic’s capabilities and stealth techniques
Researchers at Broadcom described Mistic (also tracked as MLTBackdoor) as a stealthy backdoor that executes entirely in memory and offers a full set of remote-access capabilities without leaving conventional disk artifacts. Broadcom's analysis lists core functions that include uploading and downloading files, moving, renaming, or deleting files, creating folders, changing the interval for polling a command server, executing code from a command-and-control (C2) channel directly in memory, loading Beacon Object Files (BOFs) to expand functionality, and terminating and deleting itself.
Two features stand out: in-memory execution and a kill switch. Both reduce forensic visibility and support a persistent, low-profile foothold on compromised hosts — attributes Broadcom tied to an operator seeking "long-term, low-visibility access." Broadcom also emphasized the backdoor's "stealth" and the possibility that the same actor behind the access broker Woodgnat may have developed ModeloRAT, the Python RAT observed delivered alongside Mistic.
Connection to KongTuke, ModeloRAT, and ClickFix campaigns
Symantec and Carbon Black's Threat Hunter Team linked Mistic to KongTuke — an initial access broker (IAB) tracked under multiple aliases including 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat. According to those researchers, Mistic has been deployed since April 2026 across organizations in insurance, education, IT, and professional services.
The backdoor has been observed dropped together with ModeloRAT, a Python remote access trojan Symantec and Carbon Black say was previously attributed to KongTuke. Huntress first flagged ModeloRAT in January 2026 in a ClickFix variant dubbed CrashFix, where attackers used a malicious Google Chrome extension pretending to be an ad blocker to crash a victim's browser and trick them into running commands under the guise of a security scan.
Zscaler ThreatLabz earlier this month highlighted that Mistic has been delivered using ClickFix techniques and attributed that activity to a ransomware-related threat actor establishing a foothold for lateral movement. Symantec and Carbon Black further noted that ModeloRAT has been observed in attacks that deployed Qilin ransomware.
Delivery mechanics: DLL side-loading, trusted tooling, and DNS signaling
Broadcom reported that the malware leverages DLL side-loading to blend with legitimate processes, specifically using a Microsoft endpoint security executable — "MpExtMs.exe" — as part of its delivery to avoid raising alerts. The backdoor's execution model — loading code into memory and running payloads without touching disk — pairs with that sideloading technique to minimize observable artifacts on infected systems.
Separately, Microsoft observed variants of ClickFix campaigns that used DNS lookups as a lightweight staging or signaling channel to retrieve next-stage payloads. In one ClickFix campaign detailed by Huntress, the actors forced browser crashes via a malicious extension to induce victims to run arbitrary commands; in another, DNS queries delivered the next stage.
KongTuke’s distribution methods and recent pivots
Symantec and Carbon Black described KongTuke as operating a traffic distribution system (TDS) built on compromised WordPress sites, using that infrastructure to serve an evolving set of lures that steer visitors toward malware. Rapid7 and ReliaQuest reported that as recently as last month KongTuke had shifted tactics to sending Microsoft Teams messages from a fake IT Support account to trigger an attack chain that led to ModeloRAT deployment.
Broadcom characterized the group as skilled at developing stealthy remote access tools and suggested Mistic was likely developed by access brokers working with ransomware affiliates rather than by a ransomware group itself. "The use of custom tools in ransomware attacks is becoming a more common phenomenon," Broadcom observed, adding that Backdoor.Mistic appears to continue that trend.
What this means for technologists, affected enterprises, and incident responders
- Technologists and security teams: Expect adversaries to combine DLL sideloading, in-memory execution, and legitimate tooling to evade detection. Monitoring for anomalous use of "MpExtMs.exe" and unexplained in-memory process behavior may be relevant given Broadcom's findings.
- Affected enterprises (insurance, education, IT, professional services): The targeting appears opportunistic, Symantec and Carbon Black said, meaning organizations across those sectors should evaluate access controls, logging around DNS queries, and collaboration tools that could carry malicious lures such as fake IT Support Microsoft Teams messages.
- Incident responders and forensic teams: The combination of in-memory execution and a built-in kill switch increases the importance of timely detection and volatile-memory collection. Broadcom's description underscores that artifacts on disk may be minimal or intentionally removed.
Symantec and Carbon Black portray Mistic as a resourceful tool in an access-broker playbook: stealthy, modular, and designed to hand off access to others who may deploy ransomware. The chain described — TDS lures, ClickFix delivery variants, DNS signaling, ModeloRAT, and Mistic running in memory via DLL sideloading — outlines a flexible pipeline for initial access through to covert persistence. As researchers continue to investigate activity since April 2026, defenders will be measuring whether the toolset becomes more widespread or remains a specialist capability of KongTuke-linked operators.
