The Backdoor Deletes Itself and Hides Inside a Microsoft Defender Binary. Mistic Is the Access Broker's New Front Door.

The interesting malware story this week is not a ransomware brand. It is the thing that gets sold to the ransomware brands.

A newly-documented backdoor called Mistic — also tracked as MLTBackdoor — has been landing in financially-motivated intrusions since April 2026, hitting insurance, education, IT, and professional-services organizations. It does not encrypt anything. It does not steal a database and run. It does one job extremely well: establish durable, low-visibility remote access, and hold it until that access is worth selling.

Built to Not Be Found

Three design choices tell you exactly what this operator wants.

First, it runs in memory. The payload executes with no file written to disk, which defeats the entire class of detection that looks for malicious files at rest.

Second, it hides inside trust. Mistic uses DLL side-loading against MpExtMs.exe — a legitimate Microsoft endpoint-security binary. When a defender's tooling sees that process, it sees Microsoft's own security executable doing something, and the malicious DLL rides along inside it. You are using the immune system as a hiding place.

Third, it has a kill switch. On command, Mistic deletes itself and leaves. That is not a feature you build for a smash-and-grab. That is a feature you build when your business model depends on the victim never knowing you were there, because you are going to sell the address to someone else.

Alongside Mistic, the operators drop ModeloRAT, a Python remote access trojan that gives them hands-on control once the foothold is set.

KongTuke Is the Name That Matters

Mistic is linked to an initial access broker tracked as KongTuke — and that name comes with a pile of aliases: 404 TDS, Chaya_002, LandUpdate808, TAG-124, and Woodgnat. If LandUpdate808 sounds familiar to readers here, it should. That is the same traffic-distribution-system lineage behind the ClickFix and fake-update lures we have been documenting all spring, including the ClearFake distribution rebuild we caught left-of-boom in May.

An initial access broker is the wholesaler of the ransomware economy. KongTuke's goal is not to deploy the ransomware. It is to get a durable foothold inside an enterprise, confirm the access is real and high-value, and auction it to whichever affiliate pays. KongTuke has previously been tied to intrusions ending in Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Six different ransomware brands, one front door.

The targeting is opportunistic by design. They cast a wide net, get in wherever they can, then assess which footholds are worth money. The victim sector is almost an accident — what gets sold is whoever happened to click.

Why This Fits Everything We Keep Saying

We have a standing frame here: defend the door, not the actor. When six unrelated ransomware crews all buy from the same broker, chasing the ransomware brand is chasing the buyer. The thing that actually compromised the enterprise was KongTuke's foothold, and that foothold arrived through a fake-update lure and a memory-resident backdoor wearing a Microsoft binary as a costume.

It also fits our read on how capability moves down-market. A self-deleting, in-memory, sideloaded backdoor with a clean kill switch is tradecraft that used to be the province of named nation-state crews. It is now the standard product of a commercial access broker selling by the foothold. The technique got acquired, not refined — packaged and sold.

For defenders, the actionable pieces: hunt for MpExtMs.exe loading unsigned or unexpected DLLs from non-standard paths. Treat Python interpreters spawning on servers that have no business running Python as a lead. And take ClickFix-style "paste this to fix your browser" lures seriously as an enterprise initial-access vector, not a consumer nuisance — that is the doorway this broker keeps walking through.

The ransomware names will keep rotating. The broker is the constant. Watch the broker.

Sources: The Hacker News (new-mistic-backdoor-linked-to-kongtuke), BleepingComputer, The Register, Symantec/Security.com Threat Intelligence (new-mistic-backdoor-modelorat), Help Net Security.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.