Backdoor.Mistic: New Backdoor May be Linked to Ransomware Access Broker
Backdoor.Mistic is a new stealthy backdoor deployed in cybercrime intrusions since April 2026, using DLL sideloading via legitimate MpExtMs.exe and masquerading as EndpointDlp.dll. It executes payloads in memory with a self-deleting kill switch, enabling long-term covert access. Mistic is likely linked to Woodgnat (aka KongTuke), an initial access broker whose ModeloRAT toolkit has been used in attacks delivering Qilin ransomware, connecting this backdoor to the broader ransomware ecosystem.
- domainauthorized-logins[.]netC2 domain with multiple subdomains (mail, php, sss) used for attacker command-and-control infrastructure
- domainb6w9m2z5x8q1v3k[.]topC2 domain associated with Mistic/Woodgnat infrastructure
- domaincarrolc[.]comC2 domain associated with Mistic/Woodgnat infrastructure
- domaincj06y9v4xab[.]comC2 domain associated with Mistic/Woodgnat infrastructure
- domaincwrtwright[.]comC2 domain associated with Mistic/Woodgnat infrastructure
- domaindefs[.]updater-worelos[.]comSubdomain C2 associated with updater-worelos.com infrastructure
- domainftps[.]upd-domain-goloro[.]comSubdomain C2 associated with upd-domain-goloro.com infrastructure
- domaingrande-luna[.]topC2 domain associated with Mistic/Woodgnat infrastructure
- domainhuman-check[.]topC2 domain associated with Mistic/Woodgnat infrastructure; name mimics CAPTCHA/human verification
- domainmail[.]authorized-logins[.]netSubdomain C2 associated with authorized-logins.net infrastructure
- domainmailes[.]upd-domain-goloro[.]comSubdomain C2 associated with upd-domain-goloro.com infrastructure
- domainmails[.]updater-worelos[.]comSubdomain C2 associated with updater-worelos.com infrastructure
- domainmueleer[.]comC2 domain associated with Mistic/Woodgnat infrastructure
- domainnano[.]upscale-kolo[.]comSubdomain C2 associated with upscale-kolo.com infrastructure
- domainoeannon[.]comC2 domain associated with Mistic/Woodgnat infrastructure
- domainphp[.]authorized-logins[.]netSubdomain C2 associated with authorized-logins.net infrastructure
- domainrotoa-upda-lo[.]comC2 domain associated with Mistic/Woodgnat infrastructure
- domainsql-updater-service[.]comC2 domain associated with Mistic/Woodgnat infrastructure
- domainsss[.]authorized-logins[.]netSubdomain C2 associated with authorized-logins.net infrastructure
- domainthomphon[.]comC2 domain serving Mistic MSI payload at /update.msi path
- domainupdater-worelos[.]comC2 domain with multiple subdomains (defs, mails) used for attacker command-and-control infrastructure
- domainupdate[.]update-fall[.]comSubdomain C2 associated with update-fall.com infrastructure
- domainupd-domain-goloro[.]comC2 domain with multiple subdomains used for attacker infrastructure
- domainupscale-kolo[.]comC2 domain with subdomain (nano) used for attacker command-and-control infrastructure
- domainw3xasv14culvnqj[.]topC2 domain associated with Mistic/Woodgnat infrastructure
- ip142[.]93[.]242[.]144Network indicator associated with Mistic/Woodgnat attack infrastructure
- ip144[.]31[.]53[.]78Network indicator associated with Mistic/Woodgnat attack infrastructure
- ip198[.]13[.]159[.]44Network indicator associated with Mistic/Woodgnat attack infrastructure
- ip199[.]91[.]221[.]42Network indicator associated with Mistic/Woodgnat attack infrastructure
- sha2561e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984Backdoor.Mistic payload masquerading as EndpointDlp.dll, loaded via DLL sideloading through legitimate MpExtMs.exe
- sha25634d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc.NET credential stealer displaying a fake login screen, deployed alongside Mistic in investigated intrusion (f.dll)
- sha2563f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4beBackdoor.Mistic MSI installer (aeff97fe.msi)
- sha25659e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712Loader DLL (version.dll) that hooks GetModuleFileNameW and LoadLibraryW to facilitate Mistic sideloading chain
- sha2568c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235Likely privilege escalation DLL (n.dll) deployed in Mistic attack chain
- sha256afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82cBackdoor.Mistic payload masquerading as EndpointDlp.dll (additional sample)
- sha256db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5Backdoor.Mistic payload masquerading as EndpointDlp.dll (additional sample)
- sha256f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344eBackdoor.Mistic MSI installer (48b47c0.msi)
- sha256fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34aBackdoor.Mistic payload masquerading as EndpointDlp.dll (additional sample)
- urlhxxp://thomphon[.]com/update[.]msiURL serving Mistic MSI payload from thomphon.com C2 server
Detection / Hunteropenrouter
What Happened
A new malicious program called Backdoor.Mistic has been discovered in attacks since April 2026. It disguises itself as legitimate security software to avoid detection and can run malicious code entirely in a computer's memory without leaving traces on disk, making it very hard to find. The backdoor is likely connected to a criminal group called Woodgnat, which specializes in breaking into organizations and selling that access to ransomware gangs who then demand payment. Woodgnat tricks people into running malicious commands through fake error messages, fake CAPTCHA tests, and even fake IT support chats via Microsoft Teams. Organizations in insurance, education, IT, and professional services have been targeted. Defenders should check their systems for the specific files, network connections, and behaviors described in this report, and should educate employees about the social-engineering tactics being used.
Key Takeaways
- Backdoor.Mistic is a stealthy new backdoor active since April 2026, using DLL sideloading via legitimate MpExtMs.exe and masquerading as EndpointDlp.dll to blend with Microsoft endpoint-security tooling
- Mistic executes payloads entirely in memory with no disk artifacts and includes a self-deleting kill switch, enabling long-term low-visibility access
- Mistic is likely linked to Woodgnat (aka KongTuke), an initial access broker whose ModeloRAT toolkit has fed Qilin and other ransomware operations including Interlock, Rhysida, Akira, 8Base, and Black Basta
- Woodgnat uses evolving social-engineering lures (ClickFix, FileFix, CrashFix) and Microsoft Teams helpdesk pretexts to trick users into pasting and running malicious PowerShell commands
- A .NET credential stealer displaying a fake login screen was deployed alongside Mistic in at least one investigated intrusion
Affected Systems
- Windows endpoints (all versions supporting DLL sideloading)
- Microsoft 365 tenants (targeted via external Teams chats)
- Web browsers (used for social-engineering lures via compromised WordPress sites)
- Active Directory environments (targeted for Kerberoasting and domain enumeration)
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Social-engineering lures (ClickFix, FileFix, CrashFix) via compromised WordPress sites or Microsoft Teams helpdesk pretexts trick users into pasting and running attacker-supplied PowerShell commands
- Execution: Multi-stage PowerShell chain downloads and unpacks portable WinPython environment; ModeloRAT Python scripts launched via signed pythonw.exe; Mistic deployed via DLL sideloading through legitimate MpExtMs.exe loading malicious EndpointDlp.dll
- Persistence: Registry Run-key entries masquerading as legitimate remote-access software (AnyDesk, Splashtop, Comms), startup-folder shortcuts, VBScript launchers, and scheduled tasks
- Reconnaissance: Domain users/groups/computers enumerated via net.exe; host and service inventories gathered via PowerShell; Active Directory and Kerberoasting queries against SPN accounts to harvest crackable credentials
- C2: Mistic beacons to C2 servers and executes payloads in memory; ModeloRAT uses RC4-encrypted C2 with multiple failover servers and DGA for non-domain-joined victims
- Exfiltration: Data staged and exfiltrated over HTTP using curl.exe; screenshots captured and credential stealer deployed
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Symantec Protection Bulletin
No detection rules are provided in the article. The article references the Symantec Protection Bulletin for latest protection updates but does not include YARA, Sigma, Snort, Suricata, KQL, SPL, or EQL rule content.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | Mistic's in-memory execution and lack of disk artifacts reduce EDR file-based detection. However, the DLL sideloading chain (MpExtMs.exe loading version.dll which loads EndpointDlp.dll) and the use of living-off-the-land tools (net.exe, reg.exe, wmic, certutil, curl) generate process telemetry that EDR can capture. The .NET credential stealer fake login screen may also generate display-related telemetry. |
| Network Visibility | Medium | C2 domains and IPs are documented, and ModeloRAT uses RC4-encrypted C2 over HTTP. Network monitoring for connections to listed domains/IPs and suspicious HTTP traffic patterns (e.g., MSI downloads from non-standard domains) would provide detection opportunities. However, use of legitimate protocols and curl for exfiltration may blend with normal traffic. |
| Detection Difficulty | Hard | Mistic executes in memory with no disk artifacts and uses a kill switch for self-deletion. The DLL sideloading chain uses legitimate signed binaries and security-tooling filenames. Woodgnat rotates through multiple Microsoft 365 tenants and uses DGA for C2 domains. The social-engineering lures rely on user-initiated execution, bypassing many automated controls. Multiple redundant persistence mechanisms and living-off-the-land tools further complicate detection. |
Required Log Sources
- Windows process creation events (Event ID 4688 / Sysmon Event ID 1)
- DLL/image load events (Sysmon Event ID 7)
- Registry modification events (Sysmon Event ID 12, 13)
- Network connection events (Sysmon Event ID 3, firewall logs)
- PowerShell script block logging (Event ID 4104)
- Active Directory Kerberos service ticket requests (Event ID 4769)
- DNS query logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for DLL sideloading activity where a legitimate signed executable (such as MpExtMs.exe) loads a DLL named EndpointDlp.dll or version.dll from a non-standard directory, which may indicate Backdoor.Mistic deployment. | Sysmon Event ID 7 (Image Loaded) or EDR DLL load telemetry showing the process and loaded module paths | Execution | Medium — legitimate endpoint security products may load similarly named DLLs from their own installation directories; verify the loading path and parent process context |
| Consider hunting for processes named pythonw.exe or node.exe executing from temporary or user-writable directories, which may indicate ModeloRAT or attacker JavaScript execution via abused legitimate runtimes. | Process creation events (Sysmon Event ID 1 / Event ID 4688) with full command line and image path | Execution | Medium — developers and IT staff may legitimately run Python or Node.js from portable or non-standard locations; correlate with network connections to known C2 infrastructure |
| Consider hunting for registry Run-key entries with values masquerading as legitimate remote-access software names (AnyDesk, Splashtop, Comms) but pointing to non-standard executable paths, which may indicate Woodgnat persistence. | Sysmon Event ID 12/13 (Registry object value set) or EDR registry monitoring for HKCU\Software\Microsoft\Windows\CurrentVersion\Run modifications | Persistence | Low to Medium — legitimate remote-access software installations also create Run-key entries; verify the executable path and signing status |
| Consider hunting for Kerberoasting activity where service ticket requests (T1558.003) are followed by credential cracking or unusual network exfiltration, which may indicate Woodgnat reconnaissance and credential harvesting. | Windows Security Event ID 4769 (Kerberos service ticket requested) with ticket encryption type downgrades; correlate with subsequent network connections to non-standard domains | Credential Access | Medium — legitimate service ticket requests are common in Active Directory environments; focus on unusual volume, encryption downgrade patterns, and requests for unusual SPNs |
| Consider hunting for curl.exe being used to transfer data to external domains, particularly in combination with preceding PowerShell or certutil activity, which may indicate Woodgnat data exfiltration. | Process creation events showing curl.exe with network arguments, combined with network connection logs to external destinations | Exfiltration | Medium — curl is a legitimate tool used by developers and administrators; focus on processes initiated from non-standard parent chains or connecting to newly registered or suspicious domains |
Control Gaps
- Application allowlisting would not block Mistic since it uses legitimate signed executables (MpExtMs.exe) for sideloading
- Traditional file-based AV may miss Mistic payloads that execute entirely in memory without writing to disk
- Domain-based blocking may be insufficient against Woodgnat's DGA-based C2 rotation for non-domain-joined victims
- External Teams chat filtering may not catch helpdesk pretext attacks rotating across multiple Microsoft 365 tenants
- User-initiated PowerShell execution from social-engineering lures bypasses many automated network and endpoint controls
Key Behavioral Indicators
- MpExtMs.exe loading version.dll which in turn loads EndpointDlp.dll from non-standard paths (DLL sideloading chain)
- pythonw.exe executing from user-writable or temporary directories associated with portable WinPython packages
- Registry Run-key entries with names AnyDesk, Splashtop, or Comms pointing to non-standard executable paths
- Rapid sequence of net.exe, PowerShell, and wmic.exe enumeration commands following initial PowerShell execution
- curl.exe initiated as a child of PowerShell or cmd.exe with external HTTP destinations
- MSI files with random hex names (e.g., aeff97fe.msi, 48b47c0.msi) being written and executed from temp directories
- certutil.exe used for decoding or downloading files outside of normal certificate management workflows
False Positive Assessment
Medium — The DLL sideloading chain uses legitimate filenames (EndpointDlp.dll, version.dll, MpExtMs.exe) that may exist in legitimate Microsoft endpoint security deployments. Living-off-the-land tools (net.exe, reg.exe, curl, certutil, wmic) are commonly used by administrators. However, the specific combination of these tools, the non-standard loading paths, and the documented C2 infrastructure provide strong correlation opportunities to reduce false positives.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider searching endpoint telemetry for the documented SHA256 hashes of Backdoor.Mistic, the version.dll loader, and the .NET credential stealer to identify compromised hosts.
- Consider blocking the documented C2 IP addresses and domains at your firewall, proxy, and DNS resolver layers, if supported by your network security tooling.
- If your EDR supports it, consider hunting for DLL sideloading events where MpExtMs.exe loads version.dll or EndpointDlp.dll from non-standard directories.
- Evaluate whether your email and collaboration security controls can detect and block external Microsoft Teams chats using helpdesk or IT-support pretexts, particularly those instructing users to paste and run PowerShell commands.
Infrastructure Hardening
- Consider implementing DNS filtering for newly registered domains and domains with patterns matching the documented C2 naming conventions (e.g., -updater-.com, *.top domains with random strings).
- If applicable to your environment, evaluate restricting PowerShell execution policies and consider enabling PowerShell Constrained Language Mode for non-administrative users to limit attack surface from paste-and-run social engineering.
- Consider implementing network segmentation to limit lateral movement opportunities if an initial access broker establishes persistence, particularly restricting access from non-domain-joined machines to sensitive Active Directory resources.
- Where supported by your identity provider, consider enforcing conditional access policies that restrict external Teams communications for non-IT staff.
User Protection
- Consider deploying endpoint detection rules for the specific DLL sideloading chain (MpExtMs.exe → version.dll → EndpointDlp.dll) if your EDR supports custom DLL load monitoring.
- Evaluate whether your application allowlisting solution can detect DLL sideloading attempts where legitimate signed binaries load unsigned DLLs from non-standard paths.
- Consider enabling AMSI (Anti-Malware Scan Interface) integration for PowerShell and .NET to improve detection of in-memory payloads like Mistic and the .NET credential stealer.
Security Awareness
- Consider incorporating the ClickFix, FileFix, and CrashFix social-engineering techniques into existing phishing awareness training programs, emphasizing that legitimate error messages, CAPTCHAs, and crash fixes never require pasting commands into Run dialogs or File Explorer address bars.
- Consider adding a specific awareness module about external Microsoft Teams chats impersonating IT support, instructing users to verify any IT support request through internal channels before following instructions.
- Consider reminding users that legitimate IT support will never ask them to paste and execute PowerShell commands provided via chat or web pages.
MITRE ATT&CK Mapping
Initial Access
Execution
Persistence
Command and Control
Additional IOCs
- Ips:
144[.]31[.]53[.]78- Network indicator associated with Mistic/Woodgnat attack infrastructure
- Domains:
b6w9m2z5x8q1v3k[.]top- C2 domain associated with Mistic/Woodgnat infrastructurecarrolc[.]com- C2 domain associated with Mistic/Woodgnat infrastructurecj06y9v4xab[.]com- C2 domain associated with Mistic/Woodgnat infrastructurecwrtwright[.]com- C2 domain associated with Mistic/Woodgnat infrastructuredefs[.]updater-worelos[.]com- Subdomain C2 associated with updater-worelos.com infrastructureftps[.]upd-domain-goloro[.]com- Subdomain C2 associated with upd-domain-goloro.com infrastructuregrande-luna[.]top- C2 domain associated with Mistic/Woodgnat infrastructurehuman-check[.]top- C2 domain associated with Mistic/Woodgnat infrastructure; name mimics CAPTCHA/human verificationmail[.]authorized-logins[.]net- Subdomain C2 associated with authorized-logins.net infrastructuremailes[.]upd-domain-goloro[.]com- Subdomain C2 associated with upd-domain-goloro.com infrastructuremails[.]updater-worelos[.]com- Subdomain C2 associated with updater-worelos.com infrastructuremueleer[.]com- C2 domain associated with Mistic/Woodgnat infrastructurenano[.]upscale-kolo[.]com- Subdomain C2 associated with upscale-kolo.com infrastructureoeannon[.]com- C2 domain associated with Mistic/Woodgnat infrastructurephp[.]authorized-logins[.]net- Subdomain C2 associated with authorized-logins.net infrastructurerotoa-upda-lo[.]com- C2 domain associated with Mistic/Woodgnat infrastructuresql-updater-service[.]com- C2 domain associated with Mistic/Woodgnat infrastructuresss[.]authorized-logins[.]net- Subdomain C2 associated with authorized-logins.net infrastructureupd-domain-goloro[.]com- C2 domain with multiple subdomains used for attacker infrastructureupdate[.]update-fall[.]com- Subdomain C2 associated with update-fall.com infrastructurew3xasv14culvnqj[.]top- C2 domain associated with Mistic/Woodgnat infrastructure
- Urls:
hxxp://thomphon[.]com/update.msi- URL serving Mistic MSI payload from thomphon.com C2 server
- File Hashes:
3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be(SHA256) - Backdoor.Mistic MSI installer (aeff97fe.msi)8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235(SHA256) - Likely privilege escalation DLL (n.dll) deployed in Mistic attack chainafd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c(SHA256) - Backdoor.Mistic payload masquerading as EndpointDlp.dll (additional sample)db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5(SHA256) - Backdoor.Mistic payload masquerading as EndpointDlp.dll (additional sample)f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e(SHA256) - Backdoor.Mistic MSI installer (48b47c0.msi)fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a(SHA256) - Backdoor.Mistic payload masquerading as EndpointDlp.dll (additional sample)
- Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run- Persistence mechanism used by ModeloRAT; Run-key entries masquerade as legitimate remote-access software (AnyDesk, Splashtop, Comms)
- File Paths:
EndpointDlp.dll- Filename used by Backdoor.Mistic to masquerade as Microsoft endpoint-security tooling DLLversion.dll- Loader DLL filename that hooks GetModuleFileNameW and LoadLibraryW to facilitate sideloading chainMpExtMs.exe- Legitimate signed executable abused as sideloading host for Mistic backdoor DLLaeff97fe.msi- MSI installer filename used to deploy Backdoor.Mistic48b47c0.msi- MSI installer filename used to deploy Backdoor.Mistic (additional sample)n.dll- DLL filename associated with likely privilege escalation component in Mistic attack chainf.dll- .NET DLL filename for credential stealer displaying fake login screen
- Command Lines:
- Purpose: Initial compromise via social-engineering lure tricking user into pasting and executing attacker-supplied PowerShell command | Tools:
PowerShell| Stage: Initial Access |powershell.exe -enc - Purpose: Data staging and exfiltration over HTTP | Tools:
curl.exe| Stage: Exfiltration |curl.exe -o - Purpose: Registry modification for persistence establishment | Tools:
reg.exe| Stage: Persistence |reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run - Purpose: Network resource and domain enumeration | Tools:
net.exe| Stage: Reconnaissance |net.exe user /domain - Purpose: Remote command execution on compromised hosts | Tools:
wmic| Stage: Lateral Movement |wmic process call create - Purpose: File download and decoding of payloads | Tools:
certutil| Stage: Execution |certutil -decode
- Purpose: Initial compromise via social-engineering lure tricking user into pasting and executing attacker-supplied PowerShell command | Tools: