Inside Mistic, the New Stealth Backdoor in Ransomware Intrusions
ID: 333af65a-d0bc-5cb7-82b7-d68e65378959
STIX ID: report--333af65a-d0bc-5cb7-82b7-d68e65378959
Feed Name: Security Affairs
Mistic is a stealthy backdoor linked to the KongTuke/Woodgnat access broker and used since April 2026 to provide long-term covert access for ransomware operations; it was delivered via DLL sideloading (legitimate MpExtMs.exe loading version.dll and EndpointDlp.dll), runs payloads in memory, supports file operations and remote code execution, includes a credential-stealing component and a self-deletion kill switch, and has been observed enabling follow-on activity by multiple ransomware affiliates across finance, education, IT, and professional services.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
