Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs
ID: c103c433-48ac-5766-8ac7-a74dea0ab32c
STIX ID: report--c103c433-48ac-5766-8ac7-a74dea0ab32c
Feed Name: The Register (Security)
A new self‑destructing backdoor named Mistic (also tracked as MLTBackdoor) has been observed in intrusions targeting insurance, education, IT, and professional services; researchers link it to the initial access broker KongTuke (Woodgnat) and to usage patterns that facilitate ransomware deployments. Mistic performs file operations, runs payloads in memory to avoid disk detection, can be side‑loaded through legitimate binaries (e.g., MpExtMs.exe loaded from EndpointDlp.dll), and deletes itself after mission completion, making it a stealthy tool for persistent access and lateral movement.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
