Skip to content
hacker_posts

Symantec ties new Mistic backdoor to ransomware broker KongTuke

Symantec links a stealth in-memory backdoor used since April 2026 to KongTuke (Woodgnat), the initial-access broker that has fed Interlock, Rhysida, Akira, 8Base and Black Basta.

Published 5 min read
malwareransomwarekongtukesymantecthreat-intel

Symantec's Threat Hunter Team published research on June 24, 2026 describing Mistic, a previously undocumented in-memory backdoor it tracks as Backdoor.Mistic. The same implant is tracked by Zscaler as MTLBackdoor. Symantec assesses with medium confidence that the operator is Woodgnat, the threat cluster better known publicly as KongTuke — a financially motivated initial-access broker that has handed off compromised networks to several ransomware brands over the last two years. Intrusions involving Mistic have been observed since April 2026 at organisations in insurance, education, IT and professional services.

What the implant does

Mistic is a small Windows backdoor loaded by DLL sideloading. The chain reproduced by Symantec:

  1. The legitimate signed executable MpExtMs.exe is launched. The binary is part of Microsoft's endpoint-security tooling and is unmodified.
  2. MpExtMs.exe resolves and loads version.dll from its own directory. The attackers ship a malicious version.dll that acts as a loader.
  3. The loader maps and executes EndpointDlp.dll — the Mistic backdoor itself. The filename mimics Microsoft Defender / Endpoint DLP components to blend with trusted on-host software.

Once resident, Mistic runs payloads in memory with no further disk writes, supports a kill switch that wipes itself from the host, and accepts Beacon Object Files (BOFs) from its C2 to extend capability without dropping new binaries. The operator's command set covers file upload/download, move/rename/delete, folder creation, and in-memory code execution. Symantec frames this profile as consistent with an operator seeking long-term, low-visibility access rather than smash-and-grab.

Delivery

Two delivery vectors are documented:

  • ClickFix (and the FileFix / CrashFix variants). KongTuke has run ClickFix-style paste-and-run lures since early 2025 — first to deliver ModeloRAT, a Python RAT also attributed to the group, and from May 2026 onward to deliver Mistic as a follow-on payload in the same chain.
  • Microsoft Teams social engineering. Starting in April, KongTuke operators have been messaging targets on Teams while impersonating internal IT support, walking the victim through the malicious paste-and-run steps that drop the loader.

Attribution — what's said and what isn't

Symantec attributes Mistic to Woodgnat (KongTuke) based on tooling overlap with previous KongTuke intrusions (notably the co-deployment alongside ModeloRAT in at least one case). That cluster is described as an initial-access broker, not a ransomware operator in its own right. Symantec lists the downstream ransomware brands historically served by Woodgnat as Interlock, Rhysida, Akira, 8Base and Black Basta. Treat any specific Mistic → named-ransomware mapping as not yet established in the public record — the attribution chain is broker → unknown buyer → ransomware brand, and intermediate stages are not always observable.

BleepingComputer's June 25 coverage and The Hacker News' June 25 writeup repeat the Symantec framing. No CVE is associated with Mistic — the entry vector is social engineering, not vulnerability exploitation.

Action checklist

  1. Tell your help desk that the Teams IT-support lure is live. Any unsolicited Teams DM that walks a user through a Win+R paste, a clipboard command, or "verify your machine by pasting this," is the ClickFix / Teams chain. Block external Teams messaging if the org's policy allows; if not, push a one-paragraph user note today.
  2. Hunt for the sideloading pair. Search EDR telemetry for MpExtMs.exe loading a version.dll from a non-system path, and for EndpointDlp.dll resident in memory outside the legitimate Defender install paths. Either alone is anomalous; the combination is the published Mistic chain.
  3. Block unsigned or non-Microsoft version.dll loads in user-writable directories. The technique reuses a Microsoft-signed parent process to gain reputation; the malicious DLL is the differentiator.
  4. Pull Beacon Object File traces. BOF execution leaves recognisable in-memory artefacts; if your EDR exposes process-injection telemetry, baseline now so that the next operator using the same TTPs is detected on first run.
  5. Treat in-scope hosts as broker-compromised, not benign. Mistic's role is to sell access. A host that hosted Mistic in April or May has likely been on a buyer's target list since; assume the next stage may already be queued. Rotate credentials and tokens reachable from suspected hosts, and put them under elevated monitoring.

Context

Mistic is the third KongTuke-attributed tool to enter public reporting in 2026, after ModeloRAT and the ClickFix variant family. The operator's economic model — broker access, sell to ransomware affiliates — is the same one Mandiant tied to UNC6240 / ShinyHunters in the PeopleSoft zero-day campaign two weeks ago, and the same one Microsoft has documented for Storm-1175 across Black Basta deployments. The cluster of brokers feeding the ransomware affiliate market is small enough that each new toolkit they publish — and Mistic, with its disk-free design and BOF support, is a clear capability upgrade over ModeloRAT — is worth tracking as a leading indicator for who gets hit next quarter, not as a one-off.

For defenders, the operational shift in this report is the Teams social-engineering channel. Phishing detection is heavily tuned for SMTP and SMS; Teams DMs from external tenants are not, and the IT-support pretext is high-confidence enough that users who would never paste a command from email will paste one from a Teams chat with a credible-looking name. That's the gap KongTuke is exploiting at scale.

Related stories