New 'Mistic' RAT Deployed by IAB Woodgnat to Enable Multi-Ransomware Extortion
Initial access broker Woodgnat is deploying a new remote access trojan called Mistic to gain persistent footholds and resell access to ransomware groups including Qilin, Akira, and Black Basta.
An initial access broker tracked as Woodgnat (and previously as KongTuke) has been observed deploying a new backdoor named Mistic to infiltrate organizations across multiple sectors, Broadcom’s Symantec and Carbon Black threat hunter team reported on June 24, 2026. The IAB, active since at least May 2024, maintains direct ties to at least six ransomware families, including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta, using Mistic as a persistent foothold for follow-on extortion.
The Windows-based backdoor, formally tracked as Backdoor.Mistic and MLTBackdoor, provides operators with file download and upload, file manipulation, folder creation, and code execution capabilities. Critically, attackers can also modify the frequency at which the malware checks for new commands and can remotely terminate the backdoor process. In one case, the threat actor deployed a credential stealer alongside Mistic, enhancing the value of the compromised network access to prospective ransomware buyers.
Woodgnat has been spreading the Mistic DLL primarily through malicious code execution via compromised WordPress sites. Social engineering lures remain a core infection vector, including the ClickFix, FileFix, and CrashFix techniques, all of which trick victims into running attacker-supplied PowerShell commands. Since April 2026, the group has also adopted Microsoft Teams-based helpdesk and IT-support impersonation to convince employees to execute malicious code directly.
According to Broadcom’s researchers, Woodgnat's targeting appears opportunistic. Rather than focusing on a single vertical, the IAB casts a wide net across education, insurance, IT, and professional services. Each compromised machine is profiled for its network value and potential resale price. Once persistent access via Mistic is established, the attackers typically deploy a suite of additional living-off-the-land tools, including Curl, Reg.exe, Net.exe, PowerShell, Certutil, and WMIC, for data exfiltration, reconnaissance, lateral movement, and browser certificate installation.
The breadth of ransomware families that Woodgnat feeds illustrates the growing professionalization of the initial access broker economy, where a single IAB can supply entry points to multiple distinct criminal operations. The operational pattern — using a custom RAT combined with commodity tools and social engineering — mirrors tactics previously seen in the group's earlier activity, which relied on the ModeloRAT backdoor. The introduction of Mistic suggests ongoing investment in custom tooling to evade detection and maintain access even after initial entry is cleaned.
For defenders, the diversity of sectors and lack of specific vulnerability exploitation in these intrusions makes detection heavily dependent on behavioral indicators. Monitoring for unusual PowerShell execution, unexpected DLL sideloading, and abnormal use of built-in Microsoft Windows administration tools remains critical. Mitigation should also focus on MFA enforcement, strict application controls, and education around click-here-to-fix scams, which are increasingly used by IABs across the threat landscape.