Mistic Backdoor Linked to Woodgnat IAB Targets Insurance, Education, and IT Sectors
Symantec reveals a new backdoor called Mistic, deployed since April 2026 and linked to the initial access broker Woodgnat, targeting multiple sectors with stealthy, memory-resident capabilities.
A relatively new backdoor named Mistic has been active since April 2026, targeting organizations in the insurance, education, IT, and professional services sectors, according to a report from Symantec. The malware is associated with Woodgnat, also known as KongTuke, a financially motivated initial access broker (IAB) that has been active since at least May 2024. Woodgnat has been linked to several ransomware operations, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta, functioning primarily by selling high-level access to enterprise networks rather than delivering final payloads itself.
Mistic is deployed through a side-loading technique, using the legitimate file MpExtMs.exe and a DLL named EndpointDlp.dll, which mimics Microsoft endpoint-security tooling to blend in with trusted software. This approach helps the backdoor evade detection by security products. Once installed, Mistic communicates with its command-and-control (C2) infrastructure and can execute a range of commands, including uploading, downloading, moving, renaming, and deleting files, creating folders, modifying check-in intervals, and executing code directly in memory. It also includes a kill switch to remove itself from an infected system, enhancing its stealth.
In one intrusion observed by Symantec, Mistic was deployed alongside ModeloRAT, a Python-based remote access trojan also developed by Woodgnat. ModeloRAT was first reported by Huntress in January 2026 during an investigation into a ClickFix campaign called CrashFix, which used a malicious Chrome extension named NexShield to crash browsers and trick users into running PowerShell commands. The attackers also loaded a .NET DLL that displayed a fake login screen to steal credentials from users.
Beyond Mistic and ModeloRAT, the attackers leveraged several legitimate tools, including Curl, Reg.exe, Net.exe, PowerShell, Certutil, and WMIC (Windows Management Instrumentation). These utilities were used to download files, execute commands, modify the Windows registry, gather system information, and interact with remote hosts. The use of living-off-the-land binaries (LOLBins) further helps the attackers avoid detection by blending in with normal administrative activity.
Symantec noted that Woodgnat's victim selection is largely opportunistic, and the group's geographic location remains unknown. The researchers emphasized that Mistic's memory-resident execution and built-in kill switch make it particularly stealthy, potentially allowing attackers to maintain long-term access to compromised networks. This persistence is valuable for IABs like Woodgnat, who sell access to ransomware affiliates for follow-on attacks.
The discovery of Mistic adds to the growing list of backdoors used by IABs to establish durable footholds in enterprise environments. Earlier this month, Zscaler documented the same backdoor under the name MLTBackdoor, indicating that security vendors are increasingly tracking this threat. Symantec has published a list of indicators of compromise (IOCs) for Mistic, including malicious files and IP addresses used in recent Woodgnat attacks, to help defenders detect and respond to the threat.
Organizations in the targeted sectors should review their security posture for signs of Mistic or ModeloRAT activity, particularly focusing on unusual DLL side-loading, unexpected use of administrative tools, and connections to unknown IP addresses. The involvement of an IAB with ties to multiple ransomware groups underscores the importance of early detection to prevent potential ransomware deployments.