How the Attack Works
A newly discovered backdoor called MLTBackdoor has been found infecting systems through a multi-stage attack chain that begins on an automotive related web page. The infection starts when a visitor encounters a ClickFix lure a fake prompt that tricks the user into copying and running a malicious command. Once executed, the command silently downloads a compressed archive, decrypts a hidden payload, and installs the backdoor deep within the system.
Zscaler ThreatLabz researchers who identified the malware in May 2026 report that the attackers use a legitimate Microsoft Defender file named mpextms.exe to sideload the backdoor. This technique helps the malware evade basic security tools by hiding behind a trusted system file. Inside the downloaded archive are two files: data.bin and endpointdlp.dll. The DLL decrypts the RC4-encrypted data.bin file to reveal the second-stage payload.
Advanced Evasion Techniques
MLTBackdoor employs several sophisticated evasion methods to avoid detection. Approximately 95% of its code consists of unnecessary math operations designed purely to confuse security analysts. The malware also uses control flow flattening, a technique that turns simple functions into a jumbled maze that is extremely hard to reverse engineer.
Additionally, the backdoor includes a domain generation algorithm (DGA) that creates a fresh command-and-control domain every single day. This means even if security teams manage to shut down one domain, the malware can silently switch to a new one and continue its operations without interruption. Zscaler believes the threat is likely being used by a ransomware related actor to gain a strong foothold before moving laterally across a victim’s network.
Source: Cyber Security News
