logo

Inside Mistic, the New Stealth Backdoor in Ransomware Intrusions

ID: 333af65a-d0bc-5cb7-82b7-d68e65378959

STIX ID: report--333af65a-d0bc-5cb7-82b7-d68e65378959

Feed Name: Security Affairs

Threat Score
75/100

Date Published: 2026-06-25

Date Updated: 2026-06-25

Author: Pierluigi Paganini

...
...

Mistic is a stealthy backdoor linked to the KongTuke/Woodgnat access broker and used since April 2026 to provide long-term covert access for ransomware operations; it was delivered via DLL sideloading (legitimate MpExtMs.exe loading version.dll and EndpointDlp.dll), runs payloads in memory, supports file operations and remote code execution, includes a credential-stealing component and a self-deletion kill switch, and has been observed enabling follow-on activity by multiple ransomware affiliates across finance, education, IT, and professional services.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.