A newly identified backdoor, dubbed Mistic, has been implicated in a series of cyber attacks targeting sectors such as insurance, education, information technology, and professional services since April 2026. This malware is associated with the threat actor known as KongTuke, also referred to by aliases including 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat.
Mistic, also tracked as MLTBackdoor, is characterized by its stealthy operation. It executes payloads directly in memory, leaving no files on disk, and includes a self-deletion feature to evade detection. These attributes suggest a deliberate effort to maintain prolonged, undetected access to compromised systems.
Previously, KongTuke has been linked to the deployment of ModeloRAT, a Python-based remote access trojan. In January 2026, a campaign known as CrashFix involved a malicious Google Chrome extension that masqueraded as an ad blocker. This extension intentionally crashed users’ browsers, prompting them to execute arbitrary commands under the guise of performing a security scan. This method, referred to as ClickFix, was a key tactic in distributing ModeloRAT.
Further analysis revealed that some ClickFix campaigns utilized Domain Name System (DNS) lookups to fetch subsequent payloads, with DNS serving as a lightweight staging or signaling channel. This technique underscores the evolving sophistication of KongTuke’s attack vectors.
Recent findings indicate that Mistic employs DLL side-loading techniques, leveraging trusted Microsoft endpoint security tools like “MpExtMs.exe” to blend into legitimate processes and avoid detection. The backdoor’s capabilities include:
- Uploading or downloading files
- Manipulating files (move, rename, delete)
- Creating directories
- Adjusting polling intervals for command retrieval
- Executing code in memory without leaving artifacts on disk
- Loading Beacon Object Files (BOFs) to extend functionality
- Self-termination and deletion
The opportunistic nature of these attacks suggests that KongTuke casts a wide net, assessing which compromised organizations can be monetized, rather than focusing on specific sectors. Notably, ModeloRAT has been observed in incidents leading to the deployment of Qilin ransomware.
KongTuke operates a traffic distribution system built on compromised WordPress sites, using them to serve evolving lures that direct unsuspecting visitors to malware. Recent tactics include sending Microsoft Teams messages from fake IT support accounts to initiate attack chains culminating in the deployment of ModeloRAT.
The emergence of Mistic highlights the increasing sophistication of threat actors like KongTuke. Their ability to develop and deploy custom tools that evade detection poses significant challenges for cybersecurity defenses. Organizations must remain vigilant, adopting comprehensive security measures and staying informed about evolving threats to protect their systems and data.
