Overview
- Symantec and Zscaler published technical analyses in late June documenting Mistic, a backdoor deployed since April 2026 against insurance, education, IT and professional services organizations.
- Researchers link the malware to the initial access broker tracked as KongTuke or Woodgnat, which establishes persistent access and sells it to several ransomware groups.
- Observed delivery chains include multi-stage ClickFix campaigns, compromised WordPress traffic distribution, Microsoft Teams help‑desk lures, and DLL sideloading that starts with MpExtMs.exe loading version.dll and EndpointDlp.dll.
- Mistic runs payloads only in memory, can upload, download and modify files, execute received code, load Beacon Object Files (BOFs) to add features, and includes a kill switch to erase itself.
- Symantec and Zscaler published indicators of compromise to aid defenders because the backdoor's memory‑only execution and modular BOF capability make detection harder and increase the risk that many victims could have access sold to other attackers.