Bright Nexus

Published on June 25, 2026

New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns

Severity
Medium

Detail

Researchers from Symantec and Carbon Black’s Threat Hunter Team have identified a new stealthy backdoor called Mistic, also tracked as MLTBackdoor, that has been deployed in suspected financially motivated attacks targeting organizations in the insurance, education, information technology, and professional services sectors since April 2026.

The malware is linked to an initial access broker (IAB) known as KongTuke, which is also tracked as 404 TDS, Chaya_002, LandUpdate808, TAG-124 and Woodgnat. Researchers observed Mistic being deployed alongside ModeloRAT, a Python-based remote access trojan previously attributed to the group. According to Broadcom’s cybersecurity teams, the backdoor executes payloads in memory without writing files to disk and includes a kill switch that enables it to remove itself from compromised systems.

How?

Researchers reported that ModeloRAT was previously identified in January 2026 as part of a ClickFix campaign known as CrashFix. In that campaign, KongTuke operators used a malicious Google Chrome extension disguised as an ad blocker to deliberately crash a victim’s browser and trick them into executing commands under the pretense of performing a security scan.

The malware was also distributed through another ClickFix campaign in which victims were instructed to execute commands that performed a Domain Name System (DNS) lookup to retrieve a subsequent payload. Microsoft noted that DNS was used as a lightweight staging or signaling channel within the attack chain.

Earlier this month, Zscaler ThreatLabz highlighted Mistic’s use of ClickFix as a delivery mechanism and attributed the activity to a ransomware-related threat actor seeking to establish an initial foothold for lateral movement. Broadcom’s latest analysis shows that Mistic uses DLL side-loading techniques involving trusted Microsoft endpoint security tooling, specifically MpExtMs.exe, to blend into legitimate activity and reduce suspicion. The malware operates entirely in memory.

Impact

The Mistic backdoor provides capabilities that allow attackers to:

  • Upload and download files
  • Move, rename, and delete files
  • Create folders
  • Modify the interval used to poll a remote server for commands
  • Execute code received from a command-and-control (C2) server entirely in memory without leaving artifacts on disk
  • Load Beacon Object Files (BOFs) to expand functionality dynamically
  • Terminate and delete itself

Broadcom noted that the backdoor’s ability to execute payloads in memory and remove itself are characteristics consistent with an operator seeking long-term, low-visibility access.

Recommendation

Organizations should review indicators and attack techniques associated with ClickFix campaigns, ModeloRAT, and Mistic activity. Security teams should remain vigilant for DLL side-loading activity involving trusted applications, suspicious use of Microsoft Teams messages from impersonated IT support accounts, and signs of unauthorized in-memory code execution.

Conclusion

The Mistic backdoor represents a new stealth-focused malware family linked to KongTuke and previously observed ModeloRAT activity. Through the use of ClickFix delivery mechanisms, DLL side-loading techniques, in-memory execution, and self-deletion capabilities, the malware provides operators with low-visibility access to compromised environments. Researchers assess that the activity is associated with opportunistic attacks designed to obtain access that can potentially be leveraged or sold to other threat actors.

Source

https://thehackernews.com/2026/06/new-mistic-backdoor-linked-to-kongtuke.html
https://www.security.com/threat-intelligence/new-mistic-backdoor-modeloRAT