Security researchers have identified a new Windows backdoor known as Mistic being deployed in targeted intrusions against organizations in the insurance, education, IT, and professional services sectors. The malware is associated with KongTuke (also tracked as Woodgnat), an initial access broker active since at least 2024 that specializes in compromising corporate environments and selling access to ransomware groups.
According to Symantec and Zscaler researchers, Mistic has been observed in active attacks since at least April 2026 and is often deployed after earlier-stage backdoors such as ModeloRAT. The infection chain typically begins through social engineering campaigns, including Microsoft Teams-based lures, and uses DLL sideloading techniques to execute malicious payloads under the guise of legitimate system binaries. In at least one observed case, attackers launched a trusted executable that loaded a malicious DLL acting as the Mistic backdoor loader, reinforcing its focus on stealth and blending into normal system activity.
Once installed, Mistic establishes communication with a command-and-control (C2) infrastructure and enables attackers to maintain long-term access to compromised systems. Its capabilities include file manipulation, remote command execution, scheduling adjustments for C2 check-ins, and in-memory execution of arbitrary code. Researchers note that the malware also includes a self-deletion capability, allowing operators to remove traces of its presence when needed, further complicating forensic detection and incident response efforts.
A notable feature of Mistic is its ability to execute payloads entirely in memory and load Beacon Object Files (BOFs), a technique commonly associated with advanced post-exploitation frameworks. This allows attackers to extend functionality dynamically without writing artifacts to disk. Symantec describes these traits as consistent with ransomware-focused intrusion operations that prioritize stealth, persistence, and modular access over immediate disruption.
The emergence of Mistic highlights a broader trend in ransomware ecosystems where initial access brokers increasingly deploy custom-built tools designed for long-term stealth and flexibility rather than commodity malware alone. KongTuke’s activity has also been associated with a broader toolkit ecosystem, including loaders, fake applications, and obfuscated execution environments used to deliver secondary payloads to compromised networks.
Researchers warn that Mistic’s combination of DLL sideloading, in-memory execution, and modular command execution makes it a particularly effective tool for maintaining undetected access, enabling downstream ransomware actors to enter networks already pre-positioned with persistent footholds.
