The latest stealth backdoor which has been used to conduct an attack with financial gains as the main objective since April 2026 in various industries has been named Mistic. Its main purpose is ensuring persistence and gaining access to the infected system.
It executes its payload in the RAM, does not leave any traces on the disk, and possesses a self-deletion mechanism.
The backdoor is linked to an initial access broker known as KongTuke, a group tracked under multiple aliases. It is dropped alongside ModeloRAT, a Python remote access trojan previously attributed to the same actors.
Together, these tools are being used to compromise organizations in insurance, education, IT, and professional services.
Who Is Behind the Attacks?
The Mistic stealth backdoor operation is thought to be run by the initial access provider known as KongTuke.
This actor has been spotted using multiple aliases that include but not limited to the following:
1. KongTuke
2. 404 TDS
3. Chaya_002
4. LandUpdate808
5. TAG-124
6. Woodgnat
KongTuke operates a traffic distribution system built on compromised WordPress sites. They use it to deliver lures that lead unsuspecting site visitors to malware. The group has displayed constant evolution in their methods by moving from browser crashes to Microsoft Teams messages for deploying payloads.
Recently discovered in Rapid7 and ReliaQuest reports, the threat actor is now using Microsoft Teams messages via fake IT Support accounts that would initiate the chain attacks that deploy ModeloRAT.
What is Mistic?
The Mistic stealth backdoor campaign includes a backdoor that provides more capabilities to the group.Mistic is deployed via DLL side-loading, using trusted Microsoft endpoint security tooling (MpExtMs.exe) to blend in and avoid detection.
The backdoor runs directly in memory. It writes no file to disk. It includes a kill switch that lets it delete itself. These features are consistent with an operator seeking long-term, low-visibility access.
Mistic's capabilities include:
1. Upload and download files
2. Move, rename, and delete files
3. Create folders
4. Adjust the polling rate for command execution
5. Run commands sent by C2 Server in memory
6. Loading of Beacon Object Files (BOF) to improve functionalities
7. Terminate and self-delete
The possibility to load BOFs is especially important since it enables expanding the functionality of the backdoor without altering the main payload.
The Delivery: ClickFix Campaigns
The Mistic stealth backdoor campaign uses ClickFix as a delivery vector. ClickFix campaigns trick users into running arbitrary commands under the pretext of running a security scan.
In earlier variants, the group used a malicious Google Chrome extension masquerading as an ad blocker to intentionally crash the victim's web browser. The crash was followed by a prompt to run a "security scan" command.
Other ClickFix campaigns involved running commands that performed DNS lookups to retrieve next-stage payloads. DNS was used as a lightweight staging or signaling channel.
The most recent means of infection consists of messages sent through Microsoft Teams from an IT Support imposter. The messages trick users into executing commands that deploy ModeloRAT and Mistic.
What Is ModeloRAT?
ModeloRAT is a Python remote access trojan previously attributed to KongTuke. It was first flagged in January 2026 in connection with a ClickFix campaign dubbed CrashFix.
ModeloRAT is often deployed alongside the Mistic stealth backdoor campaign's signature backdoor. The two tools work together to provide the attacker with both initial access and long-term persistence.
Broadcom noted that the use of ModeloRAT in attacks that deployed Qilin ransomware suggests the group is working with ransomware affiliates. The access brokers sell their footholds to ransomware operators.
Who Is Being Targeted?
Opportunistic targeting has been observed in the Mistic stealth backdoor operation.
The following industries have been targeted by the threat actors:
1. Insurance
2. Education
3. IT services
4. Professional services
The attackers are not focused on a single sector. They are assessing which organizations they could sell access to. This is consistent with the behavior of an initial access broker.
Why This Campaign Is Notable
The Mistic stealth backdoor campaign stands out for several reasons:
1. Memory-only execution. The backdoor runs completely in memory. It writes no file to disk. This makes it extremely difficult to detect with traditional file-based scanning.
2. Self-deletion kill-switch. The malware will be able to terminate and delete itself in case the attacker thinks it has been detected.
3. DLL side-loading. Using the trusted Microsoft executable files for loading of the malware into the system will enable it to remain invisible.
4. BOF Loading. This feature enables loading of the beacon object file that increases functionality of the backdoor without modifying the core payload.
5. Access broker model. The group is not deploying ransomware themselves. They are selling access to ransomware affiliates.
Custom Tools Evolution
The Mistic stealth backdoor attack is an example of a larger trend, namely the use of custom tools in ransomware attacks. Various ransomware gangs have been seen to use custom tools for exfiltrating and others recently.
It can be said that Mistic is part of this larger trend; however, it is likely created by access brokers working with ransomware affiliates and not ransomware groups themselves.
Creating custom tools is a sign of high technical skill. The attackers are not relying solely on off-the-shelf malware. They are building their own capabilities.
What to Do
If you are in any of the targeted sectors, take these steps:
1. Monitor for Microsoft Teams messages from unknown IT Support accounts. This is a known delivery vector.
2. Be aware of the behavior of DLL sideloading and any formation of process by MpExtMs.exe.
3. Monitor any connection to the identified KongTuke network infrastructure. There are certain domains and IPs that this malware uses.
4. Deploy an EDR solution that has memory scanning capabilities. Scanning based on files will not be effective against Mistic.
5. Assume compromise if you were targeted. The group is opportunistic. If they were in your sector, they may have attempted access.
The Bottom Line
The Mistic stealth backdoor campaign demonstrates how initial access brokers are becoming more sophisticated. Memory-only backdoors. Self-deletion kill switches. Dynamic capability expansion. Trusted executable abuse.
The attackers are not deploying ransomware themselves. They are selling access to those who do.
If you run an organization in insurance, education, IT, or professional services, be on alert. The attackers are casting a wide net. And the backdoor they are using is designed to stay hidden.
FAQ Section
What is the Mistic stealth backdoor?
Mistic is a memory-only backdoor deployed in financially motivated attacks. It runs payloads in memory, writes no files to disk, and includes a self-deletion kill switch.
Who is behind the Mistic stealth backdoor campaign?
The campaign is linked to an initial access broker known as KongTuke, also tracked as 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat.
What is ModeloRAT?
ModeloRAT is a Python remote access trojan previously attributed to KongTuke. It is deployed alongside Mistic and has been observed in attacks that deployed Qilin ransomware.
What is the delivery mechanism of Mistic?
Backdoor is delivered using the ClickFix campaign, either using MS Teams messages from fraudulent IT Support accounts or by way of malicious Chrome extensions.
Against which sectors have these attacks been launched?
The attacks have been launched on organizations working in insurance, education, IT, and professional services.
Why is Mistic difficult to detect?
It runs completely in memory, writes no files to disk, uses DLL side-loading with trusted Microsoft executables, and can delete itself on command.
