Technical Analysis of MLTBackdoor | ThreatLabz

What Happened

In May 2026, security researchers discovered a new malicious program called MLTBackdoor, which is likely used by ransomware groups to gain a foothold in victim networks. The attack starts when a user is tricked into copying and pasting malicious code from a fake website error page, a technique known as ClickFix. This matters because the malware is highly evasive, using advanced techniques to hide its code, steal data, and load additional attack tools while avoiding detection by standard security software. Organizations should educate users about the dangers of copying and pasting code from untrusted websites and ensure their security monitoring is updated to detect these specific attack patterns.

Key Takeaways

• MLTBackdoor is a new malware family identified in May 2026, likely used by ransomware threat actors for lateral movement.
• The initial infection vector relies on ClickFix social engineering lures to trick victims into executing malicious commands.
• The malware is heavily obfuscated using Mixed Boolean-Arithmetic (MBA) and Control Flow Flattening (CFF) to hinder analysis.
• It employs a Domain Generation Algorithm (DGA) for resilient command-and-control (C2) communication.
• MLTBackdoor features a Beacon Object File (BOF) loader that dynamically expands its capabilities, supporting indirect system calls to evade user-mode hooks.

Affected Systems

• Windows

Attack Chain

The attack begins with a ClickFix lure that tricks the victim into executing a command line to download and extract a malicious archive. The archive contains 'endpointdlp.dll', which decrypts 'data.bin' to execute the MLTBackdoor payload. The backdoor sideloads via a legitimate Microsoft Defender executable ('mpextms.exe') and establishes an encrypted C2 channel using a custom protocol and DGA domains. Once active, it can execute built-in file system commands or load Beacon Object Files (BOFs) for extended post-exploitation capabilities.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules, but details behavioral indicators, command line patterns, and network artifacts useful for building custom detections.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can likely detect the initial ClickFix command line execution and DLL sideloading, but the malware's use of indirect system calls (Hell's Gate) and heavy obfuscation may bypass some user-mode API hooking. Network Visibility: Medium — The custom binary protocol is encrypted via ECDH and AES, but the fixed URI path (/api/v1/telemetry) and specific User-Agent provide network hunting opportunities. Detection Difficulty: Hard — The combination of Mixed Boolean-Arithmetic, Control Flow Flattening, indirect system calls, and DGA makes static analysis and signature-based detection very difficult.

Required Log Sources

• Process Creation (Event ID 4688/Sysmon 1)
• Network Connections (Sysmon 3)
• Image Load (Sysmon 7)

Hunting Hypotheses

Control Gaps

• User-mode API hooking (bypassed via indirect syscalls)
• Static signature detection (bypassed via MBA/CFF obfuscation)

Key Behavioral Indicators

• conhost.exe spawning cmd.exe with curl/tar/rundll32
• mpextms.exe loading endpointdlp.dll
• User-Agent: Microsoft-Delivery-Optimization/10.1
• URI: /api/v1/telemetry

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Search endpoint telemetry for the execution of the ClickFix command line pattern involving curl, tar, and rundll32.
• Block the identified C2 domains and IP addresses at the network perimeter.

Infrastructure Hardening

• Consider implementing network segmentation to limit lateral movement capabilities if a host is compromised.
• Evaluate restricting the execution of built-in tools like curl.exe and tar.exe for standard users where not required.

User Protection

• If your EDR supports it, ensure behavioral rules are active to detect anomalous child processes spawned by web browsers or conhost.exe.
• Consider enforcing application control to prevent the execution of unapproved DLLs and binaries.

Security Awareness

• Educate users on the risks of 'ClickFix' social engineering tactics, specifically warning against copying and pasting commands from browser error pages.
• Train employees to report suspicious browser pop-ups or update prompts to the security team.

MITRE ATT&CK Mapping

• T1204.001 - User Execution: Malicious Link
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1574.002 - Hijack Execution Flow: DLL Side-Loading
• T1027.002 - Obfuscated Files or Information: Software Packing
• T1568.002 - Dynamic Resolution: Domain Generation Algorithms
• T1071.001 - Application Layer Protocol: Web Protocols
• T1620 - Reflective Code Loading

Additional IOCs

• Domains:
  • hrs2y15sungu[[.]]com - DGA C2 domain
  • cwrtwright[[.]]com - Hardcoded C2 domain
• Urls:
  • hxxps://hrs2y15sungu[.]com/d - Initial payload download URL
• File Paths:
  • C:\users\\AppData\\Local\\Temp\\x - Staging directory created by the initial ClickFix command
• Command Lines:
  • Purpose: Downloads and executes the initial MLTBackdoor payload components | Tools: conhost.exe, cmd.exe, curl.exe, tar.exe, rundll32.exe | Stage: Execution
• Other:
  • Microsoft-Delivery-Optimization/10.1 - Hardcoded User-Agent string used for C2 communication
  • /api/v1/telemetry - Hardcoded URI path used for C2 communication
  • 0x014D4C54 - Magic bytes (\x01MLT) present in the custom network protocol header