Published on June 10, 2026
Hackers Deploy MLTBackdoor Malware via Multi-Stage ClickFix Infection Chain
Severity
High
Detail
Security researchers have identified a new malware threat known as MLTBackdoor, a sophisticated backdoor malware first observed in May 2026. The malware is designed to establish persistent access to compromised systems while employing advanced evasion and anti-analysis techniques to avoid detection. Researchers from Zscaler ThreatLabz assessed that the malware is likely associated with ransomware-related activity and may be used to establish an initial foothold within victim environments.
MLTBackdoor incorporates multiple defense-evasion techniques, including extensive code obfuscation, control flow flattening, and anti-analysis mechanisms. Researchers noted that approximately 95% of the malware’s code consists of unnecessary mathematical operations intended to hinder reverse engineering and malware analysis. The malware also utilizes a Domain Generation Algorithm (DGA) to generate new command-and-control (C2) domains on a daily basis. This capability allows attackers to maintain communications with infected systems even if previously identified domains are blocked or taken down by defenders.
How?
The attack begins when a user interacts with a malicious ClickFix prompt displayed on a compromised or attacker-controlled website. The prompt instructs the victim to execute a series of commands under the guise of resolving a technical issue. Upon execution, the commands create local directories and download a malicious archive from an attacker-controlled domain. The archive contains multiple files, including a malicious DLL endpointdlp.dll and an encrypted payload data[.]bin.
A legitimate Microsoft Defender binary mpextms[.]exe is then abused for DLL sideloading. The malicious DLL decrypts the RC4-encrypted payload and loads the MLTBackdoor malware into memory. After installation, the malware performs a self-update process and establishes persistence on the compromised system. It then conducts multiple environments checks to detect virtual machines, debuggers, sandbox environments, and other analysis tools before initiating communications with its command-and-control infrastructure.
Once active, MLTBackdoor communicates with attacker-controlled infrastructure over TCP port 443 using a custom encrypted binary protocol designed to resemble legitimate network traffic. The malware further disguises its communications by using Microsoft-style user-agent strings and fixed API paths to blend in with normal system activity. In addition, MLTBackdoor supports file upload and download operations, directory enumeration, and file and folder management. It also executes additional malicious modules through an in-memory Beacon Object File (BOF) loader, allowing attackers to extend functionality without writing files to disk.
Indicators of Compromise (IoCs)
| Type | Indicator | Description |
| SHA256 | 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984 | Stage one loader |
| SHA256 | 46b2155c1e71b840d4b7a2e94410b89a61e2446523e6f497206d402eb02e0e93 | Archive containing stage one loader and encrypted payload |
| SHA256 | 9e52cc90cff150abe21f0a6440e86e0a99ff383b81061b96def8948e21d0ac66 | MLTBackdoor with domains and DGA |
| Domain | hrs2y15sungu[.]com | Distribution campaign domain |
| Domain | carrolc[.]com | Command-and-control server |
| Domain | cwrtwright[.]com | Command-and-control server |
| Domain | thomphon[.]com | Command-and-control server |
| URL | powwowski[.]com/payloads/update.zip | Malware update URL |
| File Name | endpointdlp[.]dll | Malicious DLL used for decryption and sideloading |
| File Name | data[.]bin | RC4-encrypted second-stage payload |
| File Name | mpextms[.]exe | Legitimate Microsoft Defender binary abused for DLL sideloading |
Recommendation
Organizations should implement the following security measures to reduce the risk of MLTBackdoor infections:
- Educate users about ClickFix-style social engineering attacks and instruct them not to execute commands copied from websites or unsolicited prompts.
- Block known indicators of compromise (IoCs), including malicious domains, URLs, file hashes, and associated network infrastructure.
- Monitor for unusual execution of legitimate Microsoft binaries, particularly mpextms[.]exe, that may indicate DLL sideloading activity.
- Monitor outbound network connections over TCP port 443 for anomalous traffic patterns, uncommon user-agent strings, and communications with newly registered or suspicious domains.
Source
https://cybersecuritynews.com/hackers-deploy-mltbackdoor-malware/