New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns

New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns

A new, stealthy backdoor named Mistic has been deployed as part of suspected financially motivated attacks aimed at multiple organizations spanning insurance, education, IT, and professional services sectors since April 2026.

According to Symantec and Carbon Black's Threat Hunter Team, the backdoor, also tracked as MLTBackdoor, is said to be linked to an initial access broker (IAB) named KongTuke (aka 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat), and dropped along with ModeloRAT, a Python remote access trojan (RAT) previously attributed to the group.

"The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access," Broadcom's cybersecurity teams said in a report shared with The Hacker News.

ClickFix Campaigns and Delivery Vectors

ModeloRAT was first flagged by Huntress in January 2026 in connection with a variant of a ClickFix campaign dubbed CrashFix, in which the KongTuke actors used a malicious Google Chrome extension masquerading as an ad blocker to intentionally crash a victim's web browser and trick them into running arbitrary commands under the pretext of running a security scan.

The malware was also distributed in a different ClickFix campaign that involved running commands carrying out a Domain Name System (DNS) lookup to retrieve the next-stage payload, with Microsoft noting that the attack chain uses DNS as a "lightweight staging or signaling channel."

Mistic's use of ClickFix as a delivery vector was highlighted by Zscaler ThreatLabz earlier this month, attributing the activity to a ransomware-related threat actor to establish a foothold for lateral movement.

Technical Capabilities and Stealth Mechanisms

The latest findings from Broadcom show that the malware relies on DLL side-loading techniques, using trusted Microsoft endpoint security tooling (MpExtMs.exe) to blend in and avoid raising red flags.

The backdoor runs directly in memory, enabling a wide range of capabilities typically associated with a malware family of this kind:

• Upload or download a file
• Move, rename, or delete a file
• Create a folder
• Modify the time interval after which it polls a remote server for commands
• Execute code received from C2 in memory without leaving any artifacts on disk
• Load Beacon Object Files (BOFs) to dynamically expand its capabilities
• Terminate and delete itself

Targeting and Attribution

"The targeting appears to be opportunistic, with the attackers casting a wide net and then assessing which organizations they could sell access to rather than focusing on a single sector," Symantec and Carbon Black said, adding that ModeloRAT has been observed in attacks that deployed Qilin ransomware.

KongTuke is known to operate a traffic distribution system (TDS) built on compromised WordPress sites, using it to serve an ever-evolving set of lures that lead unsuspecting site visitors to malware. As recently as last month, Rapid7 and ReliaQuest revealed that the threat actor has pivoted to sending Microsoft Teams messages from a fake IT Support account to trigger an attack chain that leads to the deployment of ModeloRAT.

"The stealth of the backdoor is also notable, as is the fact that Woodgnat is also possibly behind the development of ModeloRAT, indicating a group that is quite highly skilled at the development of stealthy remote access tools," Broadcom said.

"The use of custom tools in ransomware attacks is becoming a more common phenomenon, with multiple examples of ransomware groups using custom exfiltration and other tools in recent times. Backdoor.Mistic appears to be a continuation of this trend, though it appears to be likely developed by access brokers working with ransomware affiliates rather than a ransomware group itself."