MLTBackdoor Malware Deploys via Sophisticated ClickFix Infection Chain
A new backdoor malware, MLTBackdoor, is being deployed through a complex, multi-stage infection chain initiated by a deceptive ClickFix lure, employing advanced evasion techniques.
A sophisticated new backdoor malware, dubbed MLTBackdoor, has emerged, utilizing a multi-stage infection chain that begins with a deceptively simple ClickFix lure. Discovered in May 2026, this malware is engineered to evade detection by employing advanced obfuscation techniques, including control flow flattening and numerous dummy mathematical operations. Researchers at Zscaler ThreatLabz identified the threat and suspect it is being deployed by a ransomware-affiliated threat actor, aiming to establish a persistent foothold within victim networks before further lateral movement.
The infection process commences when a user interacts with a fake ClickFix prompt, often hosted on automotive-related websites. This interaction triggers a series of hidden commands that download a compressed archive. This archive contains a malicious DLL that decrypts an RC4-encrypted payload, ultimately installing the MLTBackdoor. The malware cleverly disguises itself by reusing the legitimate Microsoft Defender binary mpextms.exe for DLL sideloading, a technique that helps it bypass initial security scans. The downloaded archive also contains data.bin, the encrypted second-stage payload, and endpointdlp.dll, the loader responsible for decryption and sideloading.
Once installed, MLTBackdoor performs a self-update and continues to use the endpointdlp.dll filename, further blending in with legitimate system processes. Communication with its command-and-control (C2) servers is managed through a domain generation algorithm (DGA), which generates a new C2 domain daily, making it difficult for security teams to block. The malware disguises its network traffic as legitimate system activity by using a custom encrypted binary protocol over port 443 and employing a Microsoft-style user-agent string with a fixed API path.
MLTBackdoor incorporates extensive evasion measures, performing ten distinct environment checks before executing its primary functions. These checks include detecting virtual machines, debuggers, sandboxes, and specific analysis tools, as well as assessing system resources like RAM and processor count. This information is compiled into a bitmask and sent to the attacker's server, providing valuable intelligence about the target environment.
Beyond its stealth capabilities, MLTBackdoor is equipped with a robust set of built-in commands for file management, including downloading, uploading, listing, deleting, renaming, and creating directories. Its most potent feature is a Beacon Object File (BOF) loader, which allows attackers to inject custom code modules directly into the malware's memory. This modularity enables attackers to expand the malware's capabilities dynamically without writing new files to disk, significantly increasing its stealth and adaptability.
Security professionals are advised to implement strict measures to counter this threat. This includes blocking known indicators of compromise (IoCs), monitoring for unusual usage of legitimate Microsoft binaries, and updating threat detection rules to identify ClickFix-style social engineering tactics. Vigilance for suspicious outbound connections on port 443, particularly those with uncommon user-agent strings, is crucial for early detection of MLTBackdoor infections.
The malware's sophisticated multi-stage approach, combined with advanced obfuscation and evasion techniques, positions MLTBackdoor as a significant threat. Its modular design and ability to adapt its capabilities make it a challenging adversary for cybersecurity defenses, highlighting the ongoing evolution of advanced persistent threats.