New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns

New Mistic Backdoor Linked to KongTuke in ClickFix and ModeloRAT Campaigns Ravie LakshmananJun 25, 2026Initial Access Broker / Ransomware A new, stealthy backdoor named Mistic has been deployed as part of suspected financially motivated attacks aimed at multiple organizations spanning insurance, education, IT, and professional services sectors since April 2026. According to Symantec and Carbon Black's Threat Hunter Team, the backdoor, also tracked as MLTBackdoor, is said to be linked to an initial access broker (IAB) named KongTuke (aka 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat), and dropped along with ModeloRAT, a Python remote access trojan (RAT) previously attributed to the group. "The backdoor runs payloads in memory with no file written to disk and includes a kill switch that lets it delete itself, which are features consistent with an operator seeking long-term, low-visibility access," Broadcom's cybersecurity teams said in a report shared with The Hacker News. ModeloRAT was first flagged by Huntress in January 2026 in connection with a variant of a ClickFix campaign dubbed CrashFix, in which the KongTuke actors used a malicious Google Chrome extension masquerading as an ad blocker to intentionally crash a victim's web browser and trick them into running arbitrary commands under the pretext of running a security scan. The malware was also distributed in a different ClickFix campaign that involved running commands carrying out a Domain Name System (DNS) lookup to retrieve the next-stage payload, with Microsoft noting that the attack chain uses DNS as a "lightweight staging or signaling channel." Mistic's use of ClickFix as a delivery vector was highlighted by Zscaler ThreatLabz earlier this month, attributing the activity to a ransomware-related threat actor to establish a foothold for lateral movement. The latest findings from Broadcom show that the malware relies on DLL side-loading techniques, using trusted Microsoft endpoint security tooling ("MpExtMs.exe") to blend in and avoid raising red flags. The backdoor runs directly in memory, enabling a wide range of capabilities typically associated with a malware family of this kind - Upload or download a file Move, rename, or delete a file Create a folder Modify the time interval after which it polls a remote server for commands Execute code received from C2 in memory without leaving any artifacts on disk Load Beacon Object Files (BOFs) to dynamically expand its capabilities Terminate and delete itself "The targeting appears to be opportunistic, with the attackers casting a wide net and then assessing which organizations they could sell access to rather than focusing on a single sector," Symantec and Carbon Black said, adding that ModeloRAT has been observed in attacks that deployed Qilin ransomware. KongTuke is known to operate a traffic distribution system (TDS) built on compromised WordPress sites, using it to serve an ever-evolving set of lures that lead unsuspecting site visitors to malware. As recently as last month, Rapid7 and ReliaQuest revealed that the threat actor has pivoted to sending Microsoft Teams messages from a fake IT Support account to trigger an attack chain that leads to the deployment of ModeloRAT. "The stealth of the backdoor is also notable, as is the fact that Woodgnat is also possibly behind the development of ModeloRAT, indicating a group that is quite highly skilled at the development of stealthy remote access tools," Broadcom said.  "The use of custom tools in ransomware attacks is becoming a more common phenomenon, with multiple examples of ransomware groups using custom exfiltration and other tools in recent times. Backdoor.Mistic appears to be a continuation of this trend, though it appears to be likely developed by access brokers working with ransomware affiliates rather than a ransomware group itself." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  ClickFix, DLL side-loading, Initial Access Broker, Malware, Microsoft Teams, ransomware, WordPress ⚡ Top Stories This Week Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw China-Linked Hackers Backdoored Linux Login Software to Hide for Nearly a Decade Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication New GreatXML Exploit Bypasses Windows BitLocker via Recovery Partition XML Files Anthropic Releases Claude Fable 5, Its Most Powerful AI Yet, With Cyber Safeguards Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now U.S. Orders Anthropic to Suspend Fable 5 and Mythos 5 Access for Foreign Nationals Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Microsoft Patches Record 206 Flaws, Including Three Zero-Days and Critical RCE Bugs ThreatsDay Bulletin: Worm Code Leaked, AI Agent Phished, Claude Code Patch + 28 New Stories Ivanti, Fortinet, and SAP Release Patches for Multiple Critical Vulnerabilities Agentjacking Attack Tricks AI Coding Agents Into Running Malicious Code Cybersecurity Stars Awards 2026: Winners Announced Across 95 Categories Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows ⭐ Featured Resources Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale